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CUSTOMER SUPPORT 

INTEL'S COMPLETE SUPPORT SOLUTION WORLDWIDE 

Customer Support is Intel's complete support service that provides Intel customers with hardware support, 
software support, customer training, consulting services and network management services. For detailed infor- 
mation contact your local sales offices. 

After a customer purchases any system hardware or software product, service and support become major 
factors in determining whether that product will continue to meet a customer's expectations. Such support 
requires an international support organization and a breadth of programs to meet a variety of customer needs. 
As you might expect, Intel's customer support is quite extensive. It can start with assistance during your 
development effort to network management. 100 Intel sales and service offices are located worldwide — in the 
U.S., Canada, Europe and the Far East. So wherever you're using Intel technology, our professional staff is 
within close reach. 

HARDWARE SUPPORT SERVICES 

Intel's hardware maintenance service, starting with complete on-site installation will boost your productivity 
from the start and keep you running at maximum efficiency. Support for system or board level products can be 
tailored to match your needs, from complete on-site repair and maintenance support to economical carry-in or 
mail-in factory service. 

Intel can provide support service for not only Intel systems and emulators, but also support for equipment in 
your development lab or provide service on your product to your end-user/customer. 

SOFTWARE SUPPORT SERVICES 

Software products are supported by our Technical Information Service (TIPS) that has a special toll free 
number to provide you with direct, ready information on known, documented problems and deficiencies, as 
well as work-arounds, patches and other solutions. 

Intel's software support consists of two levels of contracts. Standard support includes TIPS (Technical Infor- 
mation Phone Service), updates and subscription service (product-specific troubleshooting guides and; 
COMMENTS Magazine). Basic support consists of updates and the subscription service. Contracts are sold in 
environments which represent product groupings (e.g., iRMX® environment). 

CONSULTING SERVICES 

Intel provides field system engineering consulting services for any phase of your development or application 
effort. You can use our system engineers in a variety of ways ranging from assistance in using a new product, 
developing an application, personalizing training and customizing an Intel product to providing technical and 
management consulting. Systems Engineers are well versed in technical areas such as microcommunications, 
real-time applications, embedded microcontrollers, and network services. You know your application needs; 
we know our products. Working together we can help you get a successful product to market in the least 
possible time. 

CUSTOMER TRAINING 

Intel offers a wide range of instructional programs covering various aspects of system design and implementa- 
tion. In just three to ten days a limited number of individuals learn more in a single workshop than in weeks of 
self-study. For optimum convenience, workshops are scheduled regularly at Training Centers worldwide or we 
can take our workshops to you for on-site instruction. Covering a wide variety of topics, Intel's major course 
categories include: architecture and assembly language, programming and operating systems, BITBUS™ and 
LAN applications. 

NETWORK MANAGEMENT SERVICES 

Today's networking products are powerful and extremely flexible. The return they can provide on your invest- 
ment via increased productivity and reduced costs can be very substantial. 

Intel offers complete network support, from definition of your network's physical and functional design, to 
implementation, installation and maintenance. Whether installing your first network or adding to an existing 
one, Intel's Networking Specialists can optimize network performance for you. 
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CHAPTER 1 
INTRODUCTION TO THE 386™ DX MICROPROCESSOR 

The 386™ DX microprocessor is an advanced 32-bit processor optimized for multitask- 
ing operating systems and other computation-intensive appHcations. The 32-bit registers 
and buses support 32-bit addresses and data. The processor can address up to 4 
gigabytes of physical memory and 64 terabytes of virtual memory. 

The 386 DX microprocessor includes: 

o 32-bit integer processor for performing arithmetic and logical operations 

o interface to the 387™ numerics coprocessor, an external floating-point arithmetic unit 
for supporting the 32-, 64-, and 80-bit formats specified in IEEE standard 754 

o segmentation, a form of memory management for creating independent, protected 
address spaces 

o paging, a form of memory management which provides access to data structures 
larger than the available memory space by keeping them partly in memory and partly 
on disk 

o instruction backup for allowing a program to be restarted following an exception 
(necessary for supporting demand-paged virtual memory) 

© pipelined instruction execution for allowing the interpretation of different instruc- 
tions to be overlapped 

® debugging registers for hardware support of instruction and data breakpoints 

The Intel386™ architecture is an extension of Intel's 16-bit architecture to 32 bits. The 
native mode of execution is a powerful 32-bit instruction set which takes full advantage 
of a completely 32-bit architecture. Object-code compatibility with the 8086 and 80286 
processors are provided through different modes of execution. Programs running in the 
compatibility mode for the 8086 processor can run with 32-bit programs when multitask- 
ing is used. In addition to the 386 DX microprocessor, which has a 32-bit data bus, the 
Intel386 architecture is available in two implementations with a 16-bit external data bus: 

9 386 DX Microprocessor — The complete architecture of the 386 DX microprocessor 
adapted for midrange personal computers, which are sensitive to the higher system 
cost of a 32-bit bus. 

o 376™ Embedded Processor — A reduced form of the 386 DX microprocessor opti- 
mized for embedded applications, such as process controllers. The 376 processor 
lacks the paging and 8086-compatibility features provided in the 386 DX micropro- 
cessor. The 376 processor is available in a surface-mount plastic package, which pro- 
vides the lowest cost and smallest form factor for any implementation of the Intel386 
architecture. 

Both processors can run programs written for the 386 DX microprocessor, but with some 
reduction in performance due to the narrower bus. Both processors can use the 387™ SX 
numerics coprocessor, which is an implementation of the 387 coprocessor with a 16-bit 
interface. 
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1.1 ORGANIZATION OF THIS MANUAL 

This book presents the Intel386 architecture in four parts: 

Part I — AppHcation Programming 

Part II — System Programming 

Part III -CompatibiHty 

Part IV —Instruction Set 
Appendices 

These divisions are determined by the architecture and by the ways programmers use 
this book. The first three parts are explanatory, showing the purpose of architectural 
features, developing terminology and concepts, and describing instructions as they relate 
to specific purposes or to specific architectural features. The remaining parts are refer- 
ence material for programmers developing software for the 386 DX microprocessor. 

The first three parts cover the operating modes and protection mechanism of the 386 
DX microprocessor. The distinction between application programming and system pro- 
gramming is related to the protection mechanism of the 386 DX microprocessor. One 
purpose of protection is to prevent applications from interfering with the operating sys- 
tem. For this reason, certain registers and instructions are inaccessible to application 
programs. The features discussed in Part I are those which are accessible to applications; 
the features in Part II are available only to programs running with special privileges, or 
programs running on systems where the protection mechanism is not used. 

The mode of the 386 DX microprocessor affects which instructions and architectural 
features are accessible. The 386 DX microprocessor has three modes for running 
programs: 

Protected mode uses the native 32-bit instruction set of the processor. In this mode all 
instructions and architectural features are available. 

Real-address mode (also called "real mode") emulates the programming environment of 
the 8086 processor, with a few extensions (such as the ability to break out of this mode). 
Reset initialization places the processor into real mode. 

Virtual-8086 mode (also called "V86 mode") is another form of 8086 emulation mode. 
Unlike real-address mode, virtual-8086 mode is compatible with protection and memory 
management. The processor can enter virtual-8086 mode from protected mode to run a 
program written for the 8086 processor, then leave virtual-8086 mode and re-enter pro- 
tected mode to continue a program which uses the 32-bit instruction set. 

The features available to application programs in protected mode and to all programs in 
virtual-8086 mode are the same. These features are described in Part I of this book. The 
additional features available to system programs in protected mode are described in 
Part II. Part III describes real-address mode and virtual-8086 mode, as well as how to 
run a mix of 16-bit and 32-bit programs. 
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1.1.1 Part I —Application Programming 

This part presents the architecture used by appHcation programmers. 

Chapter 2 — Basic Programming Model: Introduces the models of memory organization. 
Defines the data types. Presents the register set used by appHcations. Introduces the 
stack. Explains string operations. Defines the parts of an instruction. Explains address 
calculations. Introduces interrupts and exceptions as they apply to application 
programming. 

Chapter 3— Application Instruction Set: Surveys the instructions commonly used for 
application programming. Considers instructions in functionally related groups; forexam- 
ple, string instructions are considered in one section, while control-transfer instructions 
are considered in another. Explains the concepts behind the instructions. Details of 
individual instructions are deferred until Part IV, the instruction-set reference. 



1.1.2 Part ll-System Programming 

This part presents the Intel386 architectural features used by operating systems, device 
drivers, debuggers, and other software which support application programs. 

Chapter 4 — System Architecture: Describes the features of the 386 DX microprocessor 
used by system programmers. Introduces the remaining registers and data structures of 
the 386 DX microprocessor which were not discussed in Part I. Introduces the system- 
oriented instructions in the context of the registers and data structures they support. 
References the chapters in which each register, data structure, and instruction is dis- 
cussed in more detail. 

Chapter 5 — Memory Management: Presents details of the data structures, registers, and 
instructions which support segmentation. Explains how system designers can choose be- 
tween an unsegmented ("flat") model of memory organization and a model with 
segmentation. 

Chapter 6 — Protection: Discusses protection as it applies to segments. Explains the im- 
plementation of privilege rules, stack switching, pointer validation, user and supervisor 
modes. Protection aspects of multitasking are deferred until the following chapter. 

Chapter 7 — Multitasking: Explains how the hardware of the 386 DX microprocessor 
supports multitasking with context-switching operations and intertask protection. 

Chapter 8 — Input/Output: Describes the I/O features of the 386 DX microprocessor, 
including I/O instructions, protection as it relates to I/O, and the I/O permission bit map. 

Chapter 9 — Exceptions and Interrupts: Explains the basic interrupt mechanisms of the 
386 DX microprocessor. Shows how interrupts and exceptions relate to protection. Dis- 
cusses all possible exceptions, listing causes and including information needed to handle 
and recover from each exception. 
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Chapter 10 — Initialization: Defines the condition of the processor after reset initiahza- 
tion. Explains how to set up registers, flags, and data structures. Contains an example of 
an initialization program. 

Chapter 11 — Coprocessing and Multiprocessing: Explains the instructions and flags 
which support multiple processors with shared memory and floating-point arithmetic 
coprocessors. 

Chapter 12 — Debugging: Tells how to use the debugging registers of the 386 DX 
microprocessor. "^ 



1.1.3 Part III -Compatibility 

This part explains the features of the architecture which support 16-bit programming. 
All three execution modes have support for 16-bit programming: 16-bit operations can 
be performed in protected mode using the operand size prefix, programs written for the 
8086 processor or the real mode of the 80286 processor can run in real mode on the 386 
DX microprocessor, and a virtual machine monitor can be used to emulate real mode 
using virtual-8086 mode, even while multitasking with 32-bit programs. 

Chapter 13 — Executing 80286 Programs: Because the 386 DX microprocessor supports a 
superset of the programming environment of the 80286 processor, an application can be 
ported to the 386 DX microprocessor along with its operating system. It is also possible 
to port only the application, for use with a 32-bit operating system. 

Chapter 14 — Real-Address Mode: Explains the real mode of the 386 DX microprocessor. 
In this mode, the 386 DX microprocessor appears as a fast real-mode 80286 processor or 
a fast 8086 processor enhanced with additional instructions. 

Chapter 15— Virtual-8086 Mode: The 386 DX rtiicroprocessor can switch rapidly 
between protected mode and virtual-8086 mode, which allows multitasking among pro- 
grams running in different modes. 

Chapter 16 — Mixing 16-Bit and 32-Bit Code: Even within a program or task, the 386 DX 
microprocessor can mix 16-bit and 32-bit modules. Any particular module can use both 
16-bit and 32-bit operands and addresses. 



1.1.4 Part IV- Instruction Set 

Parts I and II present the instruction set as it relates to specific aspects of the architec- 
ture. Part III discusses compatibility with programs written for Intel 16-bit processors. 
Part IV presents the instructions in alphabetical order, with the detail needed by 
assembly-language programmers and programmers of debuggers, compilers, operating 
systems, etc. Instruction descriptions include an algorithmic description of operations, 
effect of flag settings, effect on flag settings, effect of operand and address-size 
attributes, and exceptions which may be generated. 
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1.1.5 Appendices 

The appendices present tables of encodings and other details in a format designed for 
quick reference by programmers. 



1.2 RELATED LITERATURE 

The following books contain additional material related to the Intel386 family: 

Introduction to the 80386, Order Number 231252 

386™ DX Microprocessor Hardware Reference Manual, Order Number 231732 

80386 Processor System Software Writer's Guide, Order Number 231499 

386™ DX Microprocessor High-Performance 32-Bit CHMOS Microprocessor with Integrated 

Memory Management, Order Number 231630 
376™ Embedded Processor Programmer's Reference Manual, Order Number 240314 

80387 Programmer's Reference Manual, Order Number 231917 

376™ High-Performance 32-Bit Embedded Processor, Order Number 240182 

386™ SX Microprocessor, Order Number 240187 

Microprocessor and Peripheral Handbook (vol. I), Order Number 230843 

The 386™ DX Microprocessor Hardware Reference Manual is the companion of this book 
for use by hardware designers. It contains information which may be useful to program- 
mers, especially system programmers. For example, software may be affected by these 
features of the hardware design: 

® Asserting (or not asserting) the READY# input in response to bus cycles to unim- 
plemented addresses. 

® Asserting (or not asserting) the READY# input in response to write cycles to ROM. 

® Assignment of the memory space to different bus sizes (16 or 32 bits). 

® Assignment of the memory space to different forms of memory, such as EPROM, 
dynamic RAM, and fast static RAM. 

© Assignment of user-defined interrupt vectors. 

® Placement of I/O ports in the physical memory space, or in a separate I/O address 
space. 

® Response of hardware to receiving a halt indication from the processor. 

® Response of hardware to receiving a shutdown indication from the processor. 

® Running the built-in self-test (BIST). This test can be invoked only from hardware, 
and the result of the test can be read only by software. 

The data sheet contains the latest information regarding device parameters (voltage 
levels, bus cycle timing, priority of simultaneous exceptions and interrupts, etc.). The 
data sheet is found in the Microprocessor and Peripheral Handbook (vol. 1). 
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1.3 NOTATIONAL CONVENTIONS 

This manual uses special notation for data-structure formats, for symbolic representation 
of instructions, and for hexadecimal numbers. A review of this notation makes the man- 
ual easier to read. 



1.3.1 Bit and Byte Order 

In illustrations of data structures in memory, smaller addresses appear toward the bot- 
tom of the figure; addresses increase toward the top. Bit positions are numbered from 
right to left. The numerical value of a set bit is equal to two raised to the power of the bit 
position. The 386 DX microprocessor is a "little endian" machine; this means the bytes 
of a word are numbered starting from the least significant byte. Figure 1-1 illustrates 
these conventions. 

Numbers are usually expressed in decimal notation (base 10). When hexadecimal (base 
16) numbers are used, they are indicated by an 'H' suffix. 

1.3.2 Undefined Bits and Software Compatibility 

In many register and memory layout descriptions, certain bits are marked as reserved. 
When bits are marked as undefined or reserved, it is essential for compatibility with 
future processors that software treat these bits as having a future, though unknown, 
effect. Software should follow these guidelines in dealing with reserved bits: 

• Do not depend on the states of any reserved bits when testing the values of registers 
which contain such bits. Mask out the reserved bits before testing. 

o Do not depend on the states of any reserved bits when storing to memory or to a 
register. 
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Figure 1-1. Bit and Byte Order 
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Do not depend on the ability to retain information written into any reserved bits. 

When loading a register, always load the reserved or undefined bits with the values 
indicated in the documentation, if any, or reload them with values previously stored 
from the same register. (This means to store the register contents, modify only the 
necessary bits, and then load the new value into the register.) 



NOTE 

Depending upon the values of reserved register bits will make software dependent upon 
the unspecified manner in which the 386 DX microprocessor handles these bits. 
Depending upon reserved values risks incompatibility with future processors. AVOID 
ANY SOFTWARE DEPENDENCE UPON THE STATE OF RESERVED 386 DX 
MICROPROCESSOR REGISTER BITS. 



1.3.3 Instruction Operands 

When instructions are represented symbolically, a subset of the assembly language for 
the 386 DX microprocessor is used. In this subset, an instruction has the following 
format: 

label: mnemonic argument!, argument!, argument3 

where: 

© A label is an identifier which is followed by a colon. 

• A mnemonic is a reserved name for a class of instruction opcodes which have the 
same function. 

© The operands argument 1, argument!, and argument3 are optional. There may be from 
zero to three operands, depending on the opcode. When present, they take the form 
of either literals or identifiers for data items. Operand identifiers are either reserved 
names of registers or are assumed to be assigned to data items declared in another 
part of the program (which may not be shown in the example). 

When two operands are present in an arithmetic or logical instruction, the right operand 
is the source and the left operand is the destination. Some assembly languages put the 
source and destination in reverse order. 

For example: 

LDADREG: MDV EAX, SUBTOTAL 

In this example LOADREG is a label, MOV is the mnemonic identifier of an opcode, 
EAX is the destination operand, and SUBTOTAL is the source operand. 
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1.3.4 Hexadecimal Numbers 

Base 16 numbers are represented by a string of hexadecimal digits followed by the char- 
acter H. A hexadecimal digit is a character from the set (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, 
C, D, E, F). A leading zero is added if the number would otherwise begin with one of the 
digits A-F. For example, OFH is equivalent to the decimal number 15. 

1.3.5 Segmented Addressing 

Intel processors use byte addressing. This means memory is organized and accessed as a 
sequence of bytes. Whether one or more bytes are being accessed, a byte number is used 
to address memory. The memory which can be addressed with this number is called an 
address space. 

Intel processors also support segmented addressing. This is a form of addressing where a 
program may have many independent address spaces, called segments. For example, a 
program can keep its code (instructions) and stack in separate segments. Code addresses 
would always refer to the code space, and stack addresses would always refer to the stack 
space. An example of the notation used to show segmented addresses is shown below. 

CS:EIP 

This example refers to a byte within the code segment. The byte number is held in the 
EIP register. 

1.3.6 Exceptions 

An exception is an event which occurs when an instruction causes an error. For example, 
an attempt to divide by zero generates an exception. There are several different types of 
exceptions, and some of these types may provide error codes. An error code reports 
additional information about the error. Error codes are produced only for some excep- 
tions. An example of the notation used to show an exception and error code is shown 
below. 

#PF(fauh code) 

This example refers to a page-fault exception under conditions where an error code 
naming a type of fault is reported. Under some conditions, exceptions which produce 
error codes may not be able to report an accurate code. In this case, the error code is 
zero, as shown below. 

#PF(0) 
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CHAPTER 2 
BASIC PROGRAMMING MODEL 

This chapter describes the appHcation programming environment of the 386"^" DX 
microprocessor as seen by assembly language programmers. The chapter introduces pro- 
grammers to those features of the Intel386™ architecture which directly affect the design 
and implementation of application programs. 

The basic programming model consists of these parts: 

• Memory organization 

• Data types 

• Registers 

« Instruction format 

• Operand selection 

• Interrupts and exceptions 

Note that input/output is not included as part of the basic programming model. System 
designers may choose to make I/O instructions available to applications or may choose to 
reserve these functions for the operating system. For this reason, the I/O features of the 
386 DX microprocessor are discussed in Part II. 

This chapter contains a section for each feature of the architecture normally visible to 
applications. 

2.1 MEMORY ORGANIZATION 

The memory on the bus of a 386 DX microprocessor is called physical memory. It is 
organized as a sequence of 8-bit bytes. Each byte is assigned a unique address, called a 
physical address, which ranges from zero to a maximum of 7?'^-\ (4 gigabytes). Memory 
management is a hardware mechanism for making reliable and efficient use of memory. 
When memory management is used, programs do not directly address physical memory. 
Programs address a memory model, called virtual memory. 

Memory management consists of segmentation and paging. Segmentation is a mecha- 
nism for providing multiple, independent address spaces. Paging is a mechanism to sup- 
port a model of a large address space in RAM using a small amount of RAM and some 
disk storage. Either or both of these mechanisms may be used. An address issued by a 
program is a logical address. Segmentation hardware translates a logical address into an 
address for a continuous, unsegmented address space, called a linear address. Paging 
hardware translates a linear address into a physical address. 

Memory may appear as a single, addressable space like physical memory. Or, it may 
appear as one or more independent memory spaces, called segments. Segments can be 
assigned specifically for holding a program's code (instructions), data, or stack. In fact, a 
single program may have up to 16,383 segments of different sizes and kinds. Segments 
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can be used to increase the reliability of programs and systems. For example, a pro- 
gram's stack can be put into a different segment than its code to prevent the stack from 
growing into the code space and overwriting instructions with data. 

Whether or not multiple segments are used, logical addresses are translated into linear 
addresses by treating the address as an offset into a segment. Each segment has a seg- 
ment descriptor, which holds its base address and size limit. If the offset does not exceed 
the limit, and no other condition exists which would prevent reading the segment, the 
offset and base address are added together to form the linear address. 

The linear address produced by segmentation is used directly as the physical address if 
bit 31 of the CRO register is clear (the CRO register is discussed in Chapter 4). This 
register bit controls whether paging is used or not used. If the bit is set, the paging 
hardware is used to translate the linear address into the physical address. 

The paging hardware gives another level of organization to memory. It breaks the linear 
address space into fixed blocks of 4K bytes, called pages. The logical address space is 
mapped into the linear address space, which is mapped into some number of pages. A 
page may be in memory or on disk. When a logical address is issued, it is translated into 
an address for a page in memory, or an exception is issued. An exception gives the 
operating system a chance to read the page from disk and update the page mapping. The 
program which generated the exception then can be restarted without generating an 
exception. 

If multiple segments are used, they are part of the programming environment seen by 
application programmers. If paging is used, it is normally invisible to the apphcation 
programmer. It only becomes visible when there is an interaction between the applica- 
tion program and the paging algorithm used by the operating system. When all of the 
pages in memory are used, the operating system uses its paging algorithm to decide 
which memory pages should be sent to disk. All paging algorithms (except random algo- 
rithms) have some kind of worst-case behavior which may be exercised by some kinds of 
application programs. 

The architecture of the 386 DX microprocessor gives designers the freedom to choose a 
different memory model for each program, even when more than one program is running 
at the same time. The model of memory organization can range between the following 
extremes: 

• A "flat" address space where the code, stack, and data spaces are mapped to the 
same linear addresses. To the greatest extent possible, this eliminates segmentation 
by allowing any type of memory reference to access any type of data. 

• A segmented address space with separate segments for the code, data, and stack 
spaces. As many as 16,383 linear address spaces of up to 4 gigabytes each can be used. 

Both models can provide memory protection. Models intermediate between these ex- 
tremes also can be chosen. The reasons for choosing a particular memory model and the 
manner in which system programmers implement a model are discussed in Part II — 
System Programming. 
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2.1.1 Unsegmented or 'TIat" Model 

The simplest memory model is the flat model. Although there isn't a mode bit or control 
register which turns off the segmentation mechanism, the same effect can be achieved by 
mapping all segments to the same linear addresses. This will cause all memory opera- 
tions to refer to the same memory space. 

In a flat model, segments may cover the entire 4 gigabyte range of physical addresses, or 
they may cover only those addresses which are mapped to physical memory. The advan- 
tage of the smaller address space is it provides a minimum level of hardware protection 
against software bugs; an exception will occur if any logical address refers to an address 
for which no memory exists. 



2.1.2 Segmented Model 

In a segmented model of memory organization, the logical address space consists of as 
many as 16,383 segments of up to 4 gigabytes each, or a total as large as 2^^ bytes (64 
terabytes). The processor maps this 64 terabyte logical address space onto the physical 
address space (up to 4 gigabytes) by the address translation mechanism described in 
Chapter 5. Application programmers may ignore the details of this mapping. The advan- 
tage- of the segmented model is that offsets within each address space are separately 
checked and access to each segment can be individually controlled. 

A pointer into a segmented address space consists of two parts (see Figure 2-1). 

1. A segment selector, which is a 16-bit field which identifies a segment. 

2. An ojfset, which is a 32-bit byte address within a segment. 

The processor uses the segment selector to find the linear address of the beginning of 
the segment, called the base address. Programs access memory using fixed offsets from 
this base address, so an object-code module may be loaded into memory and run without 
changing the addresses it uses (dynamic linking). The size of a segment is defined by the 
programmer, so a segment can be exactly the size of the module it contains. 



2.2 DATATYPES 

Bytes, words, and doublewords are the principal data types (see Figure 2-2). A byte is 
eight bits. The bits are numbered through 7, bit being the least significant bit (LSB). 

A word is two bytes occupying any two consecutive addresses. A word contains 16 bits. 
The bits of a word are numbered from through 15, bit again being the least signifi- 
cant bit. The byte containing bit of the word is called the low byte; the byte containing 
bit 15 is called the high byte. On the 386 DX microprocessor, the low byte is stored in the 
byte with the lower address. The address of the low byte also is the address of the word. 
The address of the high byte is used only when the upper half of the word is being 
accessed separately from the lower half. 
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Figure 2-1. Segmented Addressing 

A doubleword is four bytes occupying any four consecutive addresses. A doubleword 
contains 32 bits. The bits of a doubleword are numbered from through 31, bit again 
being the least significant bit. The word containing bit of the doubleword is called the 
low word; the word containing bit 31 is called the high word. The low word is stored in 
the two bytes with the lower addresses. The address of the lowest byte is the address of 
the doubleword. The higher addresses are used only when the upper word is being 
accessed separately from the lower word, or when individual bytes are being accessed. 
Figure 2-3 illustrates the arrangement of bytes within words and doublewords. 

Note that words do not need to be aligned at even-numbered addresses and double- 
words do not need to be aligned at addresses evenly divisible by four. This allows maxi- 
mum flexibility in data structures (e.g., records containing mixed byte, word, and 
doubleword items) and efficiency in memory utilization. Because the 386 DX micropro- 
cessor has a 32-bit data bus, communication between processor and memory takes place 
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Figure 2-3. Bytes, Words, and Doublewords in Memory 
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as doubleword transfers aligned to addresses divisible by four; the processor converts 
doubleword transfers aligned to other addresses into multiple transfers. These unaligned 
operations reduce speed by requiring extra bus cycles. For maximum speed, data struc- 
tures (especially stacks) should be designed so, whenever possible, word operands are 
aligned to even addresses and doubleword operands are aligned to addresses evenly 
divisible by four. 

Although bytes, words, and doublewords are the fundamental types of operands, the 
processor also supports additional interpretations of these operands. Specialized instruc- 
tions recognize the following data types (shown in Figure 2-4): 



Integer: A signed binary number held in a 32-bit doubleword, 16-bit word, or 

8-bit byte. All operations assume a two's complement representation. 
The sign bit is located in bit 7 in a byte, bit 15 in a word, and bit 31 in a 
doubleword. The sign bit is set for negative integers, clear for positive 
integers and zero. The value of an 8-bit integer is from - 128 to + 127; 



a 16-bit integer from -32,768 to +32,767; a 32-bit integer from -T^ to 

+ 2^^ -1. 



Ordinal: An unsigned binary number contained in a 32-bit doubleword, 16-bit 

word, or 8-bit byte. The value of an 8-bit ordinal is from to 255; a 
16-bit ordinal from to 65,535; a 32-bit ordinal from to 2^^ - 1. 

Near Pointer: A 32-bit logical address. A near pointer is an offset within a segment. 
Near pointers are used for all pointers in a flat memory model, or for 
references within a segment in a segmented model. 

Far Pointer: A 48-bit logical address consisting of a 16-bit segment selector and a 
32-bit offset. Far pointers are used in a segmented memory model to 
access other segments. 



String: 



A contiguous sequence of bytes, words, or doublewords. A string may 
contain from zero to 1?^ - 1 bytes (4 gigabytes). 



Bit field: A contiguous sequence of bits. A bit field may begin at any bit position 

of any byte and may contain up to 32 bits. 

Bit string: A contiguous sequence of bits. A bit string may begin at any bit position 

of any byte and may contain up to 2^^ - 1 bits. 



BCD: 



A representation of a binary-coded decimal (BCD) digit in the range 
through 9. Unpacked decimal numbers are stored as unsigned byte 
quantities. One digit is stored in each byte. The magnitude of the num- 
ber is the binary value of the low-order half-byte; values to 9 are valid 
and are interpreted as the value of a digit. The high-order half-byte 
must be zero during multiplication and division; it may contain any 
value during addition and subtraction. 
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Packed BCD: A representation of binary-coded decimal digits, each in the range to 
9. One digit is stored in each half-byte, two digits in each byte. The digit 
in bits 4 to 7 is more significant than the digit in bits to 3. Values to 
9 are valid for a digit. 

2.3 REGISTERS 

The 386 DX microprocessor contains sixteen registers which may be used by an applica- 
tion programmer. As Figure 2-5 shows, these registers may be grouped as: 

1. General Registers. These eight 32-bit registers are free for use by the programmer. 

2. Segment registers. These registers hold segment selectors associated with different 
forms of memory access. For example, there are separate segment registers for ac- 
cess to code and stack space. These six registers determine, at any given time, which 
segments of memory are currently available. 

3. Status and control registers. These registers report and allow modification of the 
state of the 386 DX microprocessor. 

2.3.1 General Registers 

The general registers; are the 32-bit registers EAX, EBX, ECX, EDX, EBP, ESP, ESI, 
and EDI. These registers are used to hold operands for logical and arithmetic opera- 
tions. They also may be used to hold operands for address calculations (except the ESP 
register cannot be used as an index operand). The names of these registers are derived 
from the names of the general registers on the 8086 processor, the AX, BX, CX, DX, 
BP, SP, SI, and DI registers. As Figure 2-5 shows, the low 16 bits of the general registers 
can be referenced using these names. 

Operations which specify a general register as a destination can change part or all of the 
register. If a destination register has more bytes than the operand, the upper part of the 
register is left unchanged. Instructions which use a 16-bit general register require the 
16-bit operand size prefix. The prefix is a byte with the value 67H placed before the rest 
of the instruction. Instruction opcodes use a single bit to select either 8- or 32-bit oper- 
ands. Selection of 16-bit operands is infrequent enough that an instruction prefix is a 
more efficient instruction encoding than one in which an additional bit in the opcode is 
used. This, together with byte alignment of instructions, provides greater code density 
than with word-aligned instruction sets. The 386 DX microprocessor has many one-, 
two-, and three-byte instructions which would be two- and four-byte instructions in a 
word-aligned instruction set. 

Each byte of the 16-bit registers AX, BX, CX, and DX also have other names. The byte 
registers are named AH, BH, CH, and DH (high bytes) and AL, BL, CL, and DL (low 
bytes). 

All of the general-purpose registers are available for address calculations and for the 
results of most arithmetic and logical operations; however, a few instructions assign 
specific registers to hold operands. For example, string instructions use the contents of 
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Figure 2-5. Application Register Set 

the ECX, ESI, and EDI registers as operands. By assigning specific registers for these 
functions, the instruction set can be encoded more compactly. The instructions using 
specific registers include: double-precision multiply and divide, I/O, strings, translate, 
loop, variable shift and rotate, and stack operations. 

2.3.2 Segment Registers 

Segmentation gives system designers the flexibility to choose among various models of 
memory organization. Implementation of memory models is the subject of Part II — 
System Programming. 
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The segment registers contain 16-bit segment selectors, which index into tables in mem- 
ory. The tables hold the base address for each segment, as well as other information 
regarding memory access. An unsegmented model is created by mapping each segment 
to the same place in physical memory, as shown in Figure 2-6. 

At any instant, up to six segments of memory are immediately available. The segment 
registers CS, DS, SS, ES, FS, and GS hold the segment selectors for these six segments. 
Each register is associated with a particular kind of memory access (code, data, or stack), 
Each register specifies a segment, from among the segments used by the program, which 
is used for its kind of access (see Figure 2-7). Other segments can be used by loading 
their segment selectors into the segment registers. 

The segment containing the instructions being executed is called the code segment. Its 
segment selector is held in the CS register. The 386 DX microprocessor fetches instruc- 
tions from the code segment, using the contents of the EIP register as an offset into the 
segment. The CS register is loaded as the result of interrupts, exceptions, and instruc- 
tions which transfer control between segments (e.g., the CALL and JMP instructions). 

Before a procedure is called, a region of memory needs to be allocated for a stack. The 
stack is used to hold the return address, parameters passed by the calling routine, and 
temporary variables allocated by the procedure. All stack operations use the SS register 
to find the stack segment. Unlike the CS register, the SS register can be loaded explic- 
itly, which permits application programs to set up stacks. 

The DS, ES, FS, and GS registers allow as many as four data segments to be available 
simultaneously. Four data segments give efficient and secure access to different types of 
data structures. For example, separate data segments can be created for the data struc- 
tures of the current module, data exported from a higher-level module, a dynamically- 
created data structure, and data shared with another program. If a bug causes a program 
to run wild, the segmentation mechanism can limit the damage to only those segments 
allocated to the program. An operand within a data segment is addressed by specifying 
its offset either in an instruction or a general register. 

Table 2-1. Register Names 
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Figure 2-6. An Unseg merited Memory 

Depending on the structure of data (i.e., the way data is partitioned into segments), a 
program may require access to more than four data segments. To access additional 
segments, the DS, ES, FS, and GS registers can be loaded by an apphcation program 
during execution. The only requirement is to load the appropriate segment register be- 
fore accessing data in its segment. 

A base address is kept for each segment. To address data within a segment, a 32-bit 
offset is added to the segment's base address. Once a segment is selected (by loading the 
segment selector into a segment register), an instruction only needs to specify the offset. 
Simple rules define which segment register is used to form an address when only an 
offset is specified. 



2.3.3 Stack Implementation 



Stack operations are supported by three registers: 



1. Stack Segment (SS) Register: Stacks reside in memory. The number of stacks in a 
system is limited only by the maximum number of segments. A stack may be up to 4 
gigabytes long, the maximum size of a segment on the 386 DX microprocessor. One 
stack is available at a time — the stack whose segment selector is held in the SS 
register. This is the current stack, often referred to simply as "the" stack. The SS 
register is used automatically by the processor for all stack operations. 

2. Stack Pointer (ESP) Register: The ESP register holds an offset to the top-of-stack 
(TOS) in the current stack segment. It is used by PUSH and POP operations, sub- 
routine calls and returns, exceptions, and interrupts. When an item is pushed onto 
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Figure 2-7. A Segmented Memory 

the stack (see Figure 2-8), the processor decrements the ESP register, then writes 
the item at the new TOS. When an item is popped off the stack, the processor 
copies it from the TOS, then increments the ESP register. In other words, the stack 
grows down in memory toward lesser addresses. 

3. Stack-Frame Base Pointer (EBP) Register: The EBP register typically is used to 
access data structures passed on the stack. For example, on entering a subroutine 
the stack contains the return address and some number of data structures passed to 
the subroutine. The subroutine adds to the stack whenever it needs to create space 
for temporary local variables. As a result, the stack pointer moves around as tempo- 
rary variables are pushed and popped. If the stack pointer is copied into the base 
pointer before anything is pushed on the stack, the base pointer can be used to 
reference data structures with fixed offsets. If this is not done, the offset to access a 
particular data structure would change whenever a temporary variable is allocated 
or de-allocated. 

When the EBP register is used to address memory, the current stack segment is 
selected (i.e., the SS segment). Because the stack segment does not have to be 
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Figure 2-8. Stacks 



specified, instruction encoding is more compact. The EBP register also can be used 
to address other segments. 

Instructions, such as the ENTER and LEAVE instructions, are provided which au- 
tomatically set up the EBP register for convenient access to variables. 



2.3.4 Flags Register 

Condition codes (e.g., carry, sign, overflow) and mode bits are kept in a 32-bit register 
named EFLAGS. Figure 2-9 defines the bits within this register. The flags control cer- 
tain operations and indicate the status of the 386 DX microprocessor. 

The flags may be considered in three groups: status flags, control flags, and system flags. 
Discussion of the system flags occurs in Part II. 

2.3.4.1 STATUS FLAGS 

The status flags of the EFLAGS register report the kind of result produced from the 
execution of arithmetic instructions. The MOV instruction does not affect these flags. 
Conditional jumps and subroutine calls allow a program to sense the state of the status 
flags and respond to them. For example, when the counter controlling a loop is decre- 
mented to zero, the state of the ZF flag changes, and this change can be used to sup- 
press the conditional jump to the start of the loop. 

The status flags are shown in Table 2-2. 



2.3.4.2 CONTROL FLAG 

The control flag DF of the EFLAGS register controls string instructions. 
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Figure 2-9. EFLAGS Register 
Table 2-2. Status Flags 



Name 


Purpose 


Condition Reported 


OF 


overflow 


Result exceeds positive or negative limit of number range 


SF 


sign 


Result is negative (less than zero) 


ZF 


zero 


Result is zero 


AF 


auxiliary carry 


Carry out of bit position 3 (used for BCD) 


PF 


parity 


Low byte of result has even parity (even number of set bits) 


CF 


carry flag 


Carry out of most significant bit of result 



DF (Direction Flag, bit 10) 



Setting the DF flag causes string instructions to auto-decrement, that is, to process 
strings from high addresses to low addresses. Clearing the DF flag causes string instruc- 
tions to auto-increment, or to process strings from low addresses to high addresses. 



2.3.4.3 INSTRUCTION POINTER 



The instruction pointer (EIP) register contains the offset into the current code segment 
for the next instruction to execute. The instruction pointer is not directly available to the 
programmer; it is controlled implicitly by control-transfer instructions (jumps, returns, 
etc.), interrupts, and exceptions. 
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2.4 INSTRUCTION FORMAT 

The information encoded in an instruction includes a specification of the operation to be 
performed, the type of the operands to be manipulated, and the location of these oper- 
ands. If an operand is located in memory, the instruction also must select, explicitly or 
implicitly, the segment which contains the operand. 

An instruction may have various parts and formats. The exact format of instructions is 
shown in Appendix B; the parts of an instruction are described below. Of these parts, 
only the opcode is always present. The other parts may or may not be present, depending 
on the operation involved and the location and type of the operands. The parts of an 
instruction, in order of occurrence, are listed below: 

® Prefixes: one or more bytes preceding an instruction which modify the operation of 
the instruction. The following prefixes can be used by application programs: 

1. Segment override — explicitly specifies which segment register an instruction 
should use, instead of the default segment register. 

2. Address size — switches between 16- and 32-bit addressing. Either size can be the 
default; this prefix selects the non-default size. 

3. Operand size — switches between 16- and 32-bit data size. Either size can be the 
default; this prefix selects the non-default size. 

4. Repeat — used with a string instruction to cause the instruction to be repeated 
for each element of the string. 

® Opcode: specifies the operation performed by the instruction. Some operations have 
several different opcodes, each specifying a different form of the operation. 

® Register specifier: an instruction may specify one or two register operands. Register 
specifiers occur either in the same byte as the opcode or in the same byte as the 
addressing-mode specifier. 

® Addressing-mode specifier: when present, specifies whether an operand is a register 
or memory location; if in memory, specifies whether a displacement, a base register, 
an index register, and scaling are to be used. 

® SIB (scale, index, base) byte: when the addressing-mode specifier indicates an index 
register will be used to calculate the address of an operand, a SIB byte is included in 
the instruction to encode the base register, the index register, and a scaling factor. 

® Displacement: when the addressing-mode specifier indicates a displacement will be 
used to compute the address of an operand, the displacement is encoded in the 
instruction. A displacement is a signed integer of 32, 16, or 8 bits. The 8-bit form is 
used in the common case when the displacement is sufficiently small. The processor 
extends an 8-bit displacement to 16 or 32 bits, taking into account the sign. 

® Immediate operand: when present, directly provides the value of an operand. Imme- 
diate operands may be bytes, words, or doublewords. In cases where an 8-bit imme- 
diate operand is used with a 16- or 32-bit operand, the processor extends the eight-bit 
operand to an integer of the same sign and magnitude in the larger size. In the same 
way, a 16-bit operand is extended to 32-bits. 
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2.5 OPERAND SELECTION 

An instruction acts on zero or more operands. An example of a zero-operand instruction 
is the NOP instruction (no operation). An operand can be held in any of these places: 

• In the instruction itself (an immediate operand). 

• In a register (in the case of 32-bit operands, EAX, EBX, ECX, EDX, ESI, EDI, ESP, 
or EBP; in the case of 16-bit operands AX, BX, CX, DX, SI, DI, SP, or BP; in the 
case of 8-bit operands AH, AL, BH, BL, CH, CL, DH, or DL; the segment registers; 
or the EFLAGS register for flag operations). Use of 16-bit register operands requires 
use of the 16-bit operand size prefix (a byte with the value 67H preceding the 
instruction). 



• 



• 



In memory. 
At an I/O port. 



Immediate operands and operands in registers can be accessed more rapidly than oper- 
ands in memory because memory operands require extra bus cycles. Register and imme- 
diate operands are available on-chip, the latter because they are prefetched as part of 
interpreting the instruction. 

Of the instructions which have operands, some specify operands implicitly; others specify 
operands explicitly; still others use a combination of both. For example: 

Implicit operand: A An 

By definition, AAM (ASCII adjust for multiplication) operates on the contents of 
the AX register. 

Explicit operand: XCHG EAX, EBX 

The operands to be exchanged are encoded in the instruction with the opcode. 

Implicit and explicit operands: PUSH COUNTER 

The memory variable COUNTER (the explicit operand) is copied to the top of the 
stack (the implicit operand). 

Note that most instructions have implicit operands. All arithmetic instructions, for exam- 
ple, update the EFLAGS register. 

An instruction can explicitly reference one or two operands. Two-operand instructions, 
such as MOV, ADD, and XOR, generally overwrite one of the two participating oper- 
ands with the result. This is the difference between the source operand (the one unaf- 
fected by the operation) and the destination operand (the one overwritten by the result). 
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For most instructions, one of the two explicitly specified operands — either the source or 
the destination — can be either in a register or in memory. The other operand must be in 
a register or it must be an immediate source operand. This puts the explicit two-operand 
instructions into the following groups: 

• Register to register 

• Register to memory 

• Memory to register 

• Immediate to register 
« Immediate to memory 

Certain string instructions and stack manipulation instructions, however, transfer data 
from memory to memory. Both operands of some string instructions are in memory and 
are specified implicitly. Push and pop stack operations allow transfer between memory 
operands and the memory-based stack. 

Several three-operand instructions are provided, such as the IMUL, SHRD, and SHLD 
instructions. Two of the three operands are specified explicitly, as for the two-operand 
instructions, while a third is taken from the ECX register or supplied as an immediate. 
Other three-operand instructions, such as the string instructions when used with a repeat 
prefix, take all their operands from registers. 



2.5.1 Immediate Operands 

Certain instructions use data from the instruction itself as one (and sometimes two) of 
the operands. Such an operand is called an immediate operand. It may be a byte, word, 
or doubleword. For example: 

SHR PATTERN, E 

One byte of the instruction holds the value 2, the number of bits by which to shift the 
variable PATTERN. 

TEST PATTERN, 0FFFF00FFH 

A doubleword of the instruction holds the mask which is used to test the variable 
PATTERN. 

inUL ex, HEnUDRD, 3 

A word in memory is multiplied by an immediate 3 and stored into the CX register. 

All arithmetic instructions (except divide) allow the source operand to be an immediate 
value. When the destination is the EAX or AL register, the instruction encoding is one 
byte shorter than with the other general registers. 
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2.5.2 Register Operands 

Operands may be located in one of the 32-bit general registers (EAX, EBX, ECX, EDX, 
ESI, EDI, ESP, or EBP), in one of the 16-bit general registers (AX, BX, CX, DX, SI, 
DI, SP, or BP), or in one of the 8-bit general registers (AH, BH, CH, DH, AL, BL, CL, 
or DL). An instruction which uses 16-bit register operands must use the 16-bit operand 
size prefix (a byte with the value 67H before the remainder of the instruction). 

The 386 DX microprocessor has instructions for referencing the segment registers (CS, 
DS, ES, SS, FS, and GS). These instructions are used by application programs only if 
segmentation is being used. 

The 386 DX microprocessor also has instructions for changing the state of individual 
flags in the EFLAGS register. Instructions have been provided for setting and clearing 
flags which often need to be accessed. The other flags, which are not accessed so often, 
can be changed by pushing the contents of the EFLAGS register on the stack, making 
changes to it while it's on the stack, and popping it back into the register. 



2.5.3 Memory Operands 

Instructions with explicit operands in memory must reference the segment containing 
the operand and the offset from the beginning of the segment to the operand. Segments 
are specified using a segment-override prefix, which is a byte placed at the beginning of 
an instruction. If no segment is specified, simple rules assign the segment by default. The 
offset is specified in one of the following ways: 

1. Most instructions which access memory contain a byte for specifying the addressing 
method of the operand. The byte, called the modR/M byte, comos after the opcode 
and specifies whether the operand is in a register or in memory. If the operand is in 
memory, the address is calculated from a segment register and any of the following 
values: a base register, an index register, a scaling factor, and a displacement. When 
an index register is used, the modR/M byte also is followed by another byte to 
specify the index register and scaling factor. This form of addressing is the most 
flexible. 

2. A few instructions select segments by default: 

A MOV instruction with the AL or EAX register as either source or destination can 
address memory with a doubleword encoded in the instruction. This special form of 
the MOV instruction allows no base register, index register, or scaling factor to be 
used. This form is one byte shorter than the general-purpose form. 

String operations address memory in the DS segment using the ESI register, (the 
MOVS, CMPS, OUTS, LODS, and SCAS instructions) or using the ES segment and 
EDI register (the MOVS, CMPS, INS, and STOS instructions). 

Stack operations address memory in the SS segment using the ESP register (the 
PUSH, POP, PUSHA, PUSHAD, POPA, POPAD, PUSHF, PUSHED, POPF, 
POPFD, CALL, RET, IRET, and IRETD instructions, exceptions, and interrupts). 
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2.5.3.1 SEGMENT SELECTION 

Explicit specification of a segment is optional. If a segment is not specified using a 
segment-override prefix, the processor automatically chooses a segment according to the 
rules of Table 2-3. (If a flat model of memory organization is used, the rules for selecting 
segments are not apparent to application programs.) 

Table 2-3. Default Segment Selection Rules 



Type of Reference 


Segment Used 
Register Used 


Default Selection Rule 


Instructions 


Code Segment 
CS register 


Automatic with instruction fetch. 


Stack 


Stack Segment 
LSS register 


All stack pushes and pops. Any memory ref- 
erence which uses ESP or EBP as a base 
register. 


Local Data 


Data Segment 
DS register 


All data references except when relative to 
stack or string destination. 


Destination Strings 


E-Space Segment 
ES register 


Destination of string instructions. 



Different kinds of memory access have different default segments. Data operands usu- 
ally use the main data segment (the DS segment). However, the ESP and EBP registers 
are used for addressing the stack, so when either register is used, the stack segment (the 
SS segment) is selected. 

Segment-override prefixes are used to override the default segment selection. Segment- 
override prefixes are provided for each of the segment registers. Only the following 
special cases have a default segment selection which is not affected by a segment- 
override prefix: 

® Destination strings in string instructions use the ES segment 

® Stack operands use the SS segment 

® Instruction fetches use the CS segment 

2.5.3.2 EFFECTIVE-ADDRESS COMPUTATION 

The modR/M byte provides the most flexible form of addressing. Instructions which have 
a modR/M byte after the opcode are the most common in the instruction set. For mem- 
ory operands specified by a modR/M byte, the offset within the selected segment is the 
sum of three components: 

o A displacement 

o A base register 

® An index register (the index register may be multiplied by a factor of 2, 4, or 8) 
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The offset which results from adding these components is called an effective address. 
Each of these components may have either a positive or negative value. Figure 2-10 
illustrates the full set of possibilities for modR/M addressing. 

The displacement component, because it is encoded in the instruction, is useful for 
relative addressing by fixed amounts, such as: 

• Location of simple scalar operands. 

• Beginning of a statically allocated array. 

• Offset to a field within a record. 

The base and index components have similar functions. Both use the same set of general 
registers. Both can be used for addressing which changes during program execution, 
such as: 

• Location of procedure parameters and local variables on the stack. 

• The beginning of one record among several occurrences of the same record type or in 
an array of records. 

• The beginning of one dimension of multiple dimension array. 

• The beginning of a dynamically allocated array. 

The uses of general registers as base or index components differ in the following 
respects: 

• The ESP register cannot be used as an index register. 

• When the ESP or EBP register is used as the base, the SS segment is the default 
selection. In all other cases, the DS segment is the default selection. 

The scaling factor permits efficient indexing into an array when the array elements are 2, 
4, or 8 bytes. The scaling of the index register is done in hardware at the time the 
address is evaluated. This eliminates an extra shift or multiply instruction. 
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Figure 2-10. Effective Address Computation 
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The base, index, and displacement components may be used in any combination; any of 
these components may be null. A scale factor can be used only when an index also is 
used. Each possible combination is useful for data structures commonly used by pro- 
grammers in high-level languages and assembly language. Suggested uses for some com- 
binations of address components are described below. 

DISPLACEMENT 

The displacement alone indicates the offset of the operand. This form of addressing is 
used to access a statically allocated scalar operand. A byte, word, or doubleword dis- 
placement can be used. 

BASE 

The offset to the operand is specified indirectly in one of the general registers, as for 
"based" variables. 

BASE + DISPLACEMENT 

A register and a displacement can be used together for two distinct purposes: 

1. Index into static array when the element size is not 2, 4, or 8 bytes. The displace- 
ment component encodes the offset of the beginning of the array. The register holds 
the results of a calculation to determine the offset to a specific element within the 
array. 

2. Access a field of a record. The base register holds the address of the beginning of 
the record, while the displacement is an offset to the field. 

An important special case of this combination is access to parameters in a procedure 
activation record. A procedure activation record is the stack frame created when a sub- 
routine is entered. In this case, the EBP register is the best choice for the base register, 
because it automatically selects the stack segment. This is a compact encoding for this 
common function. 

(INDEX * SCALE) + DISPLACEMENT 

This combination is an efficient way to index into a static array when the element size is 
2, 4, or 8 bytes. The displacement addresses the beginning of the array, the index register 
holds the subscript of the desired array element, and the processor automatically con- 
verts the subscript into an index by applying the scaling factor. 

BASE + INDEX + DISPLACEMENT 

Two registers used together support either a two-dimensional array (the displacement 
holds the address of the beginning of the array) or one of several instances of an array of 
records (the displacement is an offset to a field within the record). 
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BASE + (INDEX * SCALE) + DISPLACEMENT 

This combination provides efficient indexing of a two-dimensional array when the ele- 
ments of the array are 2, 4, or 8 bytes in size. 



2.6 INTERRUPTS AND EXCEPTIONS 

The 386 DX microprocessor has two mechanisms for interrupting program execution: 

1. Exceptions are synchronous events which are responses of the processor to certain 
conditions detected during the execution of an instruction. 

2. Interrupts are asynchronous events typically triggered by external devices needing 
attention. 

Interrupts and exceptions are alike in that both cause the processor to temporarily sus- 
pend the program being run in order to run a program of higher priority. The major 
distinction between these two kinds of interrupts is their origin. An exception is always 
reproducible by re-executing the program which caused the exception, while an interrupt 
can have a complex, timing-dependent relationship with programs. 

Application programmers normally are not concerned with handling exceptions or inter- 
rupts. The operating system, monitor, or device driver handles them. More information 
on interrupts for system programmers may be found in Chapter 9. Certain kinds of 
exceptions, however, are relevant to application programming, and many operating sys- 
tems give application programs the opportunity to service these exceptions. However, 
the operating system defines the interface between the application program and the 
exception mechanism of the 386 DX microprocessor. Table 2-4 lists the interrupts and 
exceptions. 

A divide-error exception; results when the DIV or IDIV instruction is executed with a 
zero denominator or when the quotient is too large for the destination operand. (See 
Chapter 3 for more information on the DIV and IDIV instructions.) 

A debug exception may be sent back to an application program if it results from the 
TF (trap) flag. 

A breakpoint exception results when an INT3 instruction is executed. This instruction 
is used by some debuggers to stop program execution at specific points. 

An overflow exception results when the INTO instruction is executed and the OF 
(overflow) flag is set. See Chapter 3 for a discussion of the INTO instruction. 

A bounds-check exception results when the BOUND instruction is executed with an 
array index which falls outside the bounds of the array. See Chapter 3 for a discussion 
of the BOUND instruction. 



• 



• 



The coprocessor-not-available exception occurs if the program contains instructions 
for a coprocessor, but no coprocessor is present in the system. 

A coprocessor-error exception is generated when a coprocessor detects an illegal 
operation. 
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Table 2-4. Exceptions and Interrupts 



Vector Number 


Description 





Divide Error 


1 
2 
3 

4 


Debugger Call 
NMI Interrupt 
Breakpoint 
INTO-detected Overflow 


5 
6 

7 
8 


BOUND Range Exceeded 
Invalid Opcode 
Coprocessor Not Available 
Double Fault 


9 
10 
11 
12 
13 


Coprocessor Segment Overrun 
Invalid Task State Segment 
Segment Not Present 
Stack Exception 
General Protection 


15 

16 
17-31 
32-255 


{Intel® reserved. Do not use.) 
Coprocessor Error 
(Intel reserved. Do not use.) 
Maskable Interrupts 



The INT instruction generates an interrupt whenever it is executed; the processor treats 
this interrupt as an exception. Its effects (and the effects of all other exceptions) are 
determined by exception handler routines in the application program or the operating 
system. The INT instruction itself is discussed in Chapter 3. See Chapter 9 for a more 
complete description of exceptions. 

Exceptions caused by segmentation and paging are handled differently than interrupts. 
Normally, the contents of the program counter (EIP register) are saved on the stack 
when an exception or interrupt is generated. But exceptions resulting from segmentation 
and paging restore the contents of some processor registers to their state before interpre- 
tation of the instruction began. The saved contents of the program counter address the 
instruction which caused the exception, rather than the instruction after it. This lets the 
operating system fix the exception-generating condition and restart the program which 
generated the exception. This mechanism is completely transparent to the program. 
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CHAPTER 3 
APPLICATION PROGRAMMING 

This chapter is an overview of the instructions which programmers can use to write 
appUcation software for the 386™ DX microprocessor. The instructions are grouped by 
categories of related functions. 

The instructions not discussed in this chapter normally are used only by operating- 
system programmers. Part II describes these instructions. 

These instruction descriptions are for the 386 DX microprocessor in protected mode. 
The instruction set in this mode is a 32-bit superset of the instruction set used in Intel 
16-bit processors. In real-address mode or virtual-86 mode, the 386 DX microprocessor 
appears to have the architecture of a fast, enhanced 16-bit processor with instruction set 
extensions. See Chapters 13, 14, 15, and 16 for more information about running the 
16-bit instruction set. All of the instructions described in this chapter are available in all 
modes. 

The instruction set description in Chapter 17 contains more detailed information on all 
instructions, including encoding, operation, timing, effect on flags, and exceptions which 
may be generated. 



3.1 DATA MOVEMENTINSTRUCTIONS 

These instructions provide convenient methods for moving bytes, words, or doublewords 
between memory and the processor registers. They come in three types: 

1. General-purpose data movement instructions. 

2. Stack manipulation instructions. 

3. Type-conversion instructions. 

3.1.1 General-Purpose Data Movement Instructions 

MOV (Move) transfers a byte, word, or doubleword from the source operand to the 
destination operand. The MOV instruction is useful for transferring data along any of 
these paths: 

© To a register from memory 

• To memory from a register 
® Between general registers 

« Immediate data to a register 

• Immediate data to memory 
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The MOV instruction cannot move from memory to memory or from a segment register 
to a segment register. Memory-to-memory moves can be performed, however, by the 
string move instruction MOVS. A special form of the MOV instruction is provided for 
transferring data between the AL or EAX registers and a location in memory specified 
by a 32-bit offset encoded in the instruction. This form of the instruction does not allow 
a segment override, index register, or scaling factor to be used. The encoding of this 
form is one byte shorter than the encoding of the general-purpose MOV instruction. A 
similar encoding is provided for moving an 8-, 16-, or 32-bit immediate into any of the 
general registers. 

XCHG (Exchange) swaps the contents of two operands. This instruction takes the place 
of three MOV instructions. It does not require a temporary location to save the contents 
of one operand while the other is being loaded. The XCHG instruction is especially 
useful for implementing semaphores or similar data structures for process 
synchronization. 

The XCHG instruction can swap two byte operands, two word operands, or two double- 
word operands. The operands for the XCHG instruction may be two register operands, 
or a register operand and a memory operand. When used with a memory operand, 
XCHG automatically activates the LOCK signal. (See Chapter 11 for more information 
on bus locking.) 



3.1.2 Stack Manipulation Instructions 

PUSH (Push) decrements the stack pointer (ESP register), then copies the source oper- 
and to the top of stack (see Figure 3-1). The PUSH instruction often is used to place 
parameters on the stack before calling a procedure. Inside a procedure, it can be used to 
reserve space on the stack for temporary variables. The PUSH instruction operates on 
memory operands, immediate operands, and register operands (including segment regis- 
ters). A special form of the PUSH instruction is available for pushing a 32-bit general 
register on the stack. This form has an encoding which is one byte shorter than the 
general-purpose form. 

PUSHA (Push All Registers) saves the contents of the eight general registers on the 
stack (see Figure 3-2). This instruction simplifies procedure calls by reducing the number 
of instructions required to save the contents of the general registers. The processor 
pushes the general registers on the stack in the following order: EAX, ECX, EDX, EBX, 
the initial value of ESP before EAX was pushed, EBP, ESI, and EDI. The effect of the 
PUSHA instruction; is reversed using the POPA instruction. 

POP (Pop) transfers the word or doubleword at the current top of stack (indicated by 
the ESP register) to the destination operand, and then increments the ESP register to 
point to the new top of stack. See Figure 3-3. POP moves information from the stack to 
a general register, segment register, or to memory. A special form of the POP instruction 
is available for popping a doubleword from the stack to a general register. This form has 
an encoding which is one byte shorter than the general-purpose form. 
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Figure 3-1. PUSH Instruction 
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Figure 3-2. PUSHA Instruction 
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Figure 3-3. POP Instruction 

POPA (Pop All Registers) pops the data saved on the stack by PUSHA into the general 
registers, except for the ESP register. The ESP register is restored by the action of 
reading the stack (popping). See Figure 3-4. 

3.1.3 Type Conversion Instructions 

The type conversion instructions convert bytes into words, words into doublewords, and 
doublewords into 64-bit quantities (called quadwords). These instructions are especially 
useful for converting signed integers, because they automatically fill the extra bits of the 
larger item with the value of the sign bit of the smaller item. This results in an integer of 
the same sign and magnitude, but a larger format. This kind of conversion, shown in 
Figure 3-5, is called sign extension. 

There are two kinds of type conversion instructions: 

• The CWD, CDQ, CBW, and CWDE instructions which only operate on data in the 
EAX register. 

® The MOVSX and MOVZX instructions, which permit one operand to be in a general 
register while letting the other operand be in memory or a register. 

CWD (Convert Word to Doubleword) and CDQ (Convert Doubleword to Quad-Word) 

double the size of the source operand. The CWD instruction copies the sign (bit 15) of 
the word in the AX register into every bit position in the DX register. The CDQ instruc- 
tion copies the sign (bit 31) of the doubleword in the EAX register into every bit posi- 
tion in the EDX register. The CWD instruction can be used to produce a doubleword 
dividend from a word before a word division, and the CDQ instruction can be used to 
produce a quadword dividend from a doubleword before doubleword division. 
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Figure 3-4. POPA Instruction 
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Figure 3-5. Sign Extension 
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CBW (Convert Byte to Word) copies the sign (bit 7) of the byte in the AL register into 
every bit position in the AX register. 

CWDE (Convert Word to Doubleword Extended) copies the sign (bit 15) of the word in 
the AX register into every bit position in the EAX register. 

MOVSX (Move with Sign Extension) extends an 8-bit value to a 16-bit value or an 8- or 
16-bit value to 32-bit value by using the value of the sign to fill empty positions. 

MOVZX (Move with Zero Extension) extends an 8-bit value to a 16-bit value or an 8- or 
16-bit value to 32-bit value by clearing the empty bit positions. 



3.2 BINARY ARITHMETIC INSTRUCTIONS 

The arithmetic instructions of the 386 DX microprocessor operate on numeric data 
encoded in binary. Operations include the add, subtract, multiply, and divide as well as 
increment, decrement, compare, and change sign (negate). Both signed and unsigned 
binary integers are supported. The binary arithmetic instructions may also be used as 
steps in arithmetic on decimal integers. Source operands can be immediate values, gen- 
eral registers, or memory. Destination operands can be general registers or memory 
(except when the source operand is in memory). The basic arithmetic instructions have 
special forms for using an immediate value as the source operand and the AL or EAX 
registers as the destination operand. These forms are one byte shorter than the general- 
purpose arithmetic instructions. 

The arithmetic instructions update the ZF, CF, SF, and OF flags to report the kind of 
result which was produced. The kind of instruction used to test the flags depends on 
whether the data is being interpreted as signed or unsigned. The CF flag contains infor- 
mation relevant to unsigned integers; the SF and OF flags contain information relevant 
to signed integers. The ZF flag is relevant to both signed and unsigned integers; the ZF 
flag is set when all bits of the result are clear. 

Arithmetic instructions operate on 8-, 16-, or 32-bit data. The flags are updated to re- 
flect the size of the operation. For example, an 8-bit ADD instruction sets the CF flag if 
the sum of the operands exceeds 255 (decimal). 

If the integer is unsigned, the CF flag may be tested after one of these arithmetic oper- 
ations to determine whether the operation required a carry or borrow to be propagated 
to the next stage of the operation. The CF flag is set if a carry occurs (addition instruc- 
tions ADD, ADC, AAA, and DAA) or borrow occurs (subtraction instructions SUB, 
SBB, AAS, DAS, CMP, and NEG). 

The INC and DEC instructions do not change the state of the CF flag. This allows the 
instructions to be used to update counters used for loop control without changing the 
reported state of arithmetic results. To test the arithmetic state of the counter, the ZF 
flag can be tested to detect loop termination, or the ADD and SUB instructions can be 
used to update the value held by the counter. 
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The SF and OF flags support signed integer arithmetic. The SF flag has the value of the 
sign bit of the result. The most significant bit (MSB) of the magnitude of a signed 
integer is the bit next to the sign — bit 6 of a byte, bit 14 of a word, or bit 30 of a 
doubleword. The OF flag is set in either of these cases: 

• A carry was generated from the MSB into the sign bit but no carry was generated out 
of the sign bit (addition instructions ADD, ADC, INC, AAA, and DAA). In other 
words, the result was greater than the greatest positive number which could be rep- 
resented in two's complement form. 

• A carry was generated from the sign bit into the MSB but no carry was generated into 
the sign bit (subtraction instructions SUB, SBB, DEC, AAS, DAS, CMP, and NEG). 
In other words, the result was smaller than the smallest negative number which could 
be represented in two's complement form. 

These status flags are tested by either kind of conditional instruction: Jcc O^i^^P c>n 
condition cc) or SETcc (byte set on condition). 

3.2.1 Addition and Subtraction Instructions 

ADD (Add Integers) replaces the destination operand with the sum of the source and 
destination operands. The OF, SF, ZF, AF, PF, and CF flags are affected. 

ADC (Add Integers with Carry) replaces the destination operand with the sum of the 
source and destination operands, plus 1 if the CF flag is set. If the CF flag is clear, the 
ADC instruction performs the same operation as the ADD instruction. An ADC instruc- 
tion is used to propagate carry when adding numbers in stages, for example when using 
32-bit ADD instructions to sum quadword operands. The OF, SF, ZF, AF, PF, and CF 
flags are affected. 

INC (Increment) adds 1 to the destination operand. The INC instruction preserves the 
state of the CF flag. This allows the use of INC instructions to update counters in loops 
without disturbing the status flags resulting from an arithmetic operation used for loop 
control. The ZF flag can be used to detect when carry would have occurred. Use an 
ADD instruction with an immediate value of 1 to perform an increment which updates 
the CF flag. A one-byte form of this instruction is available when the operand is a 
general register. The OF, SF, ZF, AF, and PF flags are affected. 

SUB (Subtract Integers) subtracts the source operand from the destination operand and 
replaces the destination operand with the result. If a borrow is required, the CF flag is 
set. The operands may be signed or unsigned bytes, words, or doublewords. The OF, SF, 
ZF, AF, PF, and CF flags are affected. 

SBB (Subtract Integers with Borrow) subtracts the source operand from the destination 
operand and replaces the destination operand with the result, minus 1 if the CF flag is 
set. If the CF flag is clear, the SBB instruction performs the same operation as the SUB 
instruction. An SBB instruction is used to propagate borrow when subtracting numbers 
in stages, for example when using 32-bit SUB instructions to subtract one quadword 
operand from another. The OF, SF, ZF, AF, PF, and CF flags are affected. 
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DEC (Decrement) subtracts 1 from the destination operand. The DEC instruction pre- 
serves the state of the CF flag. This allows the use of the DEC instruction to update 
counters in loops without disturbing the status flags resulting from an arithmetic opera- 
tion used for loop control. Use a SUB instruction with an immediate value of 1 to 
perform a decrement which updates the CF flag. A one-byte form of this instruction is 
available when the operand is a general register. The OF, SF, ZF, AF, and PF flags are 
affected. 

3.2.2 Comparison and Sign Change Instruction 

CMP (Compare) subtracts the source operand from the destination operand. It updates 
the OF, SF, ZF, AF, PF, and CF flags, but does not modify the source or destination 
operands. A subsequent Jcc or SETcc instruction can test the flags. 

NEG (Negate) subtracts a signed integer operand from zero. The effect of the NEG 
instruction is to change the sign of a two's complement operand while keeping its mag- 
nitude. The OF, SF, ZF, AF, PF, and CF flags are affected. 

3.2.3 Multiplication Instructions 

The 386 DX microprocessor has separate multiply instructions for unsigned and signed 
operands. The MUL instruction operates on unsigned integers, while the IMUL instruc- 
tion operates on signed integers as well as unsigned. 

MUL (Unsigned Integer Multiply) performs an unsigned multiplication of the source 
operand and the AL, AX, or EAX register. If the source is a byte, the processor multi- 
plies it by the value held in the AL register and returns the double-length result in the 
AH and AL registers. If the source operand is a word, the processor multiplies it by the 
value held in the AX register and returns the double-length result in the DX and AX 
registers. If the source operand is a doubleword, the processor multiplies it by the value 
held in the EAX register and returns the quadword result in the EDX and EAX regis- 
ters. The MUL instruction sets the CF and OF flags when the upper half of the result is 
non-zero; otherwise, the flags are cleared. The state of the SF, ZF, AF, and PF flags is 
undefined. 

IMUL (Signed Integer Multiply) performs a signed multiplication operation. The IMUL 
instruction has three forms: 

L A one-operand form. The operand may be a byte, word, or doubleword located in 
memory or in a general register. This instruction uses the EAX and EDX registers 
as implicit operands in the same way as the MUL instruction. 

2. A two-operand form. One of the source operands is in a general register while the 
other may be in a general register or memory. The result replaces the general- 
register operand. 

3. A three-operand form; two are source operands and one is the destination. One of 
the source operands is an immediate value supplied by the instruction; the second 
may be in memory or in a general register. The result is stored in a general register. 
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The immediate operand is a two's complement signed integer. If the immediate 
operand is a byte, the processor automatically sign-extends it to the size of the 
second operand before performing the multiplication. 

The three forms are similar in most respects: 

• The length of the product is calculated to twice the length of the operands. 

• The CF and OF flags are set when significant bits are carried into the upper half of 
the result. The CF and OF flags are cleared when the upper half of the result is the 
sign-extension of the lower half. The state of the SF, ZF, AF, and PF flags is 
undefined. 

However, forms 2 and 3 differ because the product is truncated to the length of the 
operands before it is stored in the destination register. Because of this truncation, the 
OF flag should be tested to ensure that no significant bits are lost. (For ways to test the 
OF flag, see the JO, INTO, and PUSHF instructions.) 

Forms 2 and 3 of IMUL also may be used with unsigned operands because, whether the 
operands are signed or unsigned, the lower half of the product is the same. The CF and 
OF flags, however, cannot be used to determine if the upper half of the result is 
non-zero. 



3.2.4 Division Instructions 

The 386 DX microprocessor has separate division instructions for unsigned and signed 
operands. The DIV instruction operates on unsigned integers, while the IDIV instruc- 
tion operates on both signed and unsigned integers. In either case, a divide-error excep- 
tion is generated if the divisor is zero or if the quotient is too large for the AL, AX, or 
EAX register. 

DIV (Unsigned Integer Divide) performs an unsigned division of the AL, AX, or EAX 

register by the source operand. The dividend (the accumulator) is twice the size of the 
divisor (the source operand); the quotient and remainder have the same size as the 
divisor, as shown in Table 3-L 

Non-integral results are truncated toward 0. The remainder is always smaller than the 
divisor. For unsigned byte division, the largest quotient is 255. For unsigned word divi- 
sion, the largest quotient is 65,535. For unsigned doubleword division the largest quo- 
tient is 2^^- L The state of the OF, SF, ZF, AF, PF, and CF flags is undefined. 

Table 3-1. Operands for Division 



Operand Size 
(Divisor) 


Dividend 


Quotient 


Remainder 


Byte 

Word 

Doubleword 


AX register 
DX and AX 
EDX and EAX 


AL register 
AX register 
EAX register 


AH register 
DX register 
EDX register 
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IDFV (Signed Integer Divide) performs a signed division of the accumulator by the 
source operand. The IDIV instruction uses the same registers as the DIV instruction. 

For signed byte division, the maximum positive quotient is +127, and the minimum 
negative quotient is —128. For signed word division, the maximum positive quotient is 
■f 32,767, and the minimum negative quotient is - 32,768. For signed doubleword divi- 
sion the maximum positive quotient is 2-^^-1, the minimum negative quotient is -i?^. 
Nonintegral results are truncated towards 0. The remainder always has the same sign as 
the dividend and is less than the divisor in magnitude. The state of the OF, SF, ZF, AF, 
PF, and CF flags is undefined. 



3.3 DECIMAL ARITHMETIC INSTRUCTIONS 

Decimal arithmetic is performed by combining the binary arithmetic instructions (al- 
ready discussed in the prior section) with the decimal arithmetic instructions. The deci- 
mal arithmetic instructions are used in one of the following ways: 

• To adjust the results of a previous binary arithmetic operation to produce a valid 
packed or unpacked decimal result. 

« To adjust the inputs to a subsequent binary arithmetic operation so that the operation 
will produce a valid packed or unpacked decimal result. These instructions operate 
only on the AL or AH registers. Most use the AF flag. 



3.3.1 Packed BCD Adjustment Instructions 

DAA (Decimal Adjust after Addition) adjusts the result of adding two valid packed dec- 
imal operands in the AL register. A DAA instruction must follow the addition of two 
pairs of packed decimal numbers (one digit in each half-byte) to obtain a pair of valid 
packed decimal digits as results. The CF flag is set if a carry occurs. The SF, ZF, AF, PF, 
and CF flags are affected. The state of the OF flag is undefined. 

DAS (Decimal Adjust after Subtraction) adjusts the result of subtracting two valid 
packed decimal operands in the AL register. A DAS instruction must always follow the 
subtraction of one pair of packed decimal numbers (one digit in each half-byte) from 
another to obtain a pair of valid packed decimal digits as results. The CF flag is set if a 
borrow is needed. The SF, ZF, AF, PF, and CF flags are affected. The state of the OF 
flag is undefined. 



3.3.2 Unpacked BCD Adjustment Instructions 

AAA (ASCII Adjust after Addition) changes the contents of the AL register to a valid 
unpacked decimal number, and clears the upper 4 bits. An AAA instruction must follow 
the addition of two unpacked decimal operands in the AL register. The CF flag is set 
and the contents of the AH register are incremented if a carry occurs. The AF and CF 
flags are affected. The state of the OF, SF, ZF, and PF flags is undefined. 
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AAS (ASCII Adjust after Subtraction) changes the contents of the AL register to a vaHd 
unpacked decimal number, and clears the upper 4 bits. An AAS instruction must follow 
the subtraction of one unpacked decimal operand from another in the AL register. The 
CF flag is set and the contents of the AH register are decremented if a borrow is 
needed. The AF and CF flags are affected. The state of the OF, SF, ZF, and PF flags is 
undefined. 

AAM (ASCII Adjust after Multiplication) corrects the result of a multiplication of two 
valid unpacked decimal numbers. An AAM instruction must follow the multiplication of 
two decimal numbers to produce a vahd decimal result. The upper digit is left in the AH 
register, the lower digit in the AL register. The SF, ZF, and PF flags are affected. The 
state of the AF, OF, and CF flags is undefined. 

AAD (ASCII Adjust before Division) modifies the numerator in the AH and AL registers 
to prepare for the division of two valid unpacked decimal operands, so that the quotient 
produced by the division will be a valid unpacked decimal number. The AH register 
should contain the upper digit and the AL register should contain the lower digit. This 
instruction adjusts the value and places the result in the AL register. The AH register 
will be clear. The SF, ZF, and PF flags are affected. The state of the AF, OF, and CF 
flags is undefined. 



3.4 LOGICAL INSTRUCTIONS 

The logical instructions have two operands. Source operands can be immediate values, 
general registers, or memory. Destination operands can be general registers or memory 
(except when the source operand is in memory). The logical instructions modify the state 
of the flags. Short forms of the instructions are available when the an immediate source 
operand is applied to a destination operand in the AL or EAX registers. The group of 
logical instructions includes: 

® Boolean operation instructions 

o Bit test and modify instructions 

© Bit scan instructions 

© Rotate and shift instructions 

© Byte set on condition 



3.4.1 Boolean Operation Instructions 

The logical operations are performed by the AND, OR, XOR, and NOT instructions. 

NOT (Not) inverts the bits in the specified operand to form a one's complement of the 
operand. The NOT instruction is a unary operation which uses a single operand in a 
register or memory. NOT has no effect on the flags. 
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The AND, OR, and XOR instructions perform the standard logical operations "and," 
"or," and "exclusive or." These instructions can use the following combinations of 
operands: 

• Two register operands 

• A general register operand with a memory operand 

• An immediate operand with either a general register operand or a memory operand 

The AND, OR, and XOR instructions clear the OF and CF flags, leave the AF flag 
undefined, and update the SF, ZF, and PF flags. 

3.4.2 Bit Test and Modify Instructions 

This group of instructions operates on a single bit which can be in memory or in a 
general register. The location of the bit is specified as an offset from the low end of the 
operand. The value of the offset either may be given by an immediate byte in the instruc- 
tion or may be contained in a general register. 

These instructions first assign the value of the selected bit to the CF flag. Then a new 
value is assigned to the selected bit, as determined by the operation. The state of the 
OF, SF, ZF, AF, and PF flags is undefined. Table 3-2 defines these instructions. 



3.4.3 Bit Scan Instructions 

These instructions scan a word or doubleword for a set bit and store the bit index (an 
integer representing the bit position) of the first set bit into a register. The bit string 
being scanned may be in a register or in memory. The ZF flag is set if the entire word is 
clear, otherwise the ZF flag is cleared. In the former case, the value of the destination 
register is left undefined. The state of the OF, SF, AF, PF, and CF flags is undefined. 

BSF (Bit Scan Forward) scans low-to-high (from bit toward the upper bit positions). 

BSR (Bit Scan Reverse) scans high-to-low (from the uppermost bit toward bit 0). 

3.4.4 Shift and Rotate Instructions 

The shift and rotate instructions rearrange the bits within an operand. 



Table 3-2 


Bit Test and Modify Instructions 


Instruction 


Effect on CF Flag 


Effect on Selected Bit 


BT (Bit Test) 

BTS (Bit Test and Set) 

BTR (Bit Test and Reset) 

BTC (Bit Test and Complement) 


CF flag ^ Selected Bit 
CF flag ^ Selected Bit 
CF flag ^ Selected Bit 
CF flag ^ Selected Bit 


no effect 

Selected Bit ^ 1 

Selected Bit ^ 

Selected Bit ^ - (Selected Bit) 
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These instructions fall into the following classes: 

® Shift instructions 

9 Double shift instructions 

o Rotate instructions 

3.4.4.1 SHIFT INSTRUCTIONS 

Shift instructions apply an arithmetic or logical shift to bytes, words, and doublewords. 
An arithmetic shift right copies the sign bit into empty bit positions on the upper end of 
the operand, while a logical shift right fills clears the empty bit positions. An arithmetic 
shift is a fast way to perform a simple calculation. For example, an arithmetic shift right 
by one bit position divides an integer by two. A logical shift right divides an unsigned 
integer or a positive integer, but a signed negative integer loses its sign bit. 

The arithmetic and logical shift right instructions, SAR and SHR, differ only in their 
treatment of the bit positions emptied by shifting the contents of the operand. Note that 
there is no difference between an arithmetic shift left and a logical shift left. Two names, 
SAL and SHL, are supported for this instruction in the assembler. 

A count specifies the number of bit positions to shift an operand. Bits can be shifted up 
to 31 places. A shift instruction can give the count in any of three ways. One form of shift 
instruction always shifts by one bit position. The second form gives the count as an 
immediate operand. The third form gives the count as the value contained in the CL 
register. This last form allows the count to be a result from a calculation. Only the low 
five bits of the CL register are used. 

When the number of bit positions to shift is zero, no flags are affected. Otherwise, the 
CF flag is left with the value of the last bit shifted out of the operand. In a single-bit 
shift, the OF flag is set if the value of the uppermost bit (sign bit) was changed by the 
operation. Otherwise, the OF flag is cleared. After a shift of more than one bit position, 
the state of the OF flag is undefined. On a shift of one or more bit positions, the SF, ZF, 
PF, and CF flags are affected, and the state of the AF flag is undefined. 

SAL (Shift Arithmetic Left) shifts the destination byte, word, or doubleword operand left 
by one bit position or by the number of bits specified in the count operand (an immedi- 
ate value or a value contained in the CL register). Empty bit positions are cleared. See 
Figure 3-6. 

SHL (Shift Logical Left) is another name for the SAL instruction. It is supported in the 
assembler. 

SHR (Shift Logical Right) shifts the destination byte, word, or doubleword operand right 
by one bit position or by the number of bits specified in the count operand (an immedi- 
ate value or a value contained in the CL register). Empty bit positions are cleared. See 
Figure 3-7. 
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INITIAL STATE: 
OF CF 


OPERAND 




2403311 


X X 


10001000100010001000100010001111 




AFTER 1-BIT SHL/SAL INSTRUCTION: 




11 ^ 


000100010001000100010001000111110 






AFTER 10-BIT SHL/SAL INSTRUCTION: 




X |-< 


00100010001000100011110000000000 


««# n 











Figure 3-6. SHL/SAL Instruction 



INITIAL STATE: 

OPERAND 


CF 




10001000100010001000100010001111 


3 


AFTER 1-1 


BIT SHR INSTRUCTION: 




n \!«lr. 


01000100010001000100010001000111 


tk»> i 


J^ 


M^ 1 


AFTER 10 


-BIT SHR INSTRUCTION: 




n ^fURM. 


00000000001000100010001000100010 












2403311 



Figure 3-7. SHR Instruction 

SAR (Shift Arithmetic Right) shifts the destination byte, word, or doubleword operand 
to the right by one bit position or by the number of bits specified in the count operand 
(an immediate value or a value contained in the CL register). The sign of the operand is 
preserved by clearing empty bit positions if the operand is positive, or setting the empty 
bits if the operand is negative. See Figure 3-8. 

Even though this instruction can be used to divide integers by an integer power of two, 
the type of division is not the same as that produced by the IDIV instruction. The 

quotient from the IDIV instruction is rounded toward zero, whereas the "quotient" of 
the SAR instruction is rounded toward negative infinity. This difference is apparent only 
for negative numbers. For example, when the IDIV instruction is used to divide - 9 by 4, 
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INITIAL STATE (POSITIVE OPERAND): 
OPERAND 


CF 
X 

— ^ 1 

CF 


2403311 




01 0001 0001 0001 0001 0001 0001 0001 1 1 


AFTER 1-BIT SAR INSTRUCTION: 




>B»- 


00100010001000100010001000100011 












INITIAL STATE (NEGATIVE OPERAND): 
OPERAND 




1 1 0001 0001 0001 0001 0001 0001 0001 1 1 


AFTER 1-BIT SAR INSTRUCTION: 




>e»- 


1 1 1 0001 0001 0001 0001 0001 0001 0001 1 




jg> 


>l 1 















Figure 3-8. SAR Instruction 

the result is - 2 with a remainder of - 1. If the SAR instruction is used to shift - 9 right 
by two bits, the resuh is -3. The "remainder" of this kind of division is +13; however, 
the SAR instruction stores only the high-order bit of the remainder (in the CF flag). 

3.4.4.2 DOUBLE-SHIFT INSTRUCTIOIMS 

These instructions provide the basic operations needed to implement operations on long 
unaligned bit strings. The double shifts operate either on word or doubleword operands, 
as follows: 

© Take two word operands and produce a one-word result (32-bit shift). 

© Take two doubleword operands and produce a doubleword result (64-bit shift). 

Of the two operands, the source operand must be in a register while the destination 
operand may be in a register or in memory. The number of bits to be shifted is specified 
either in the CL register or in an immediate byte in the instruction. Bits shifted out of 
the source operand fill empty bit positions in the destination operand, which also is 
shifted. Only the destination operand is stored. 

When the number of bit positions to shift is zero, no flags are affected. Otherwise, the 
CF flag is set to the value of the last bit shifted out of the destination operand, and the 
SF, ZF, and PF flags are affected. On a shift of one bit position, the OF flag is set if the 
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sign of the operand changed, otherwise it is cleared. For shifts of more than one bit 
position, the state of the OF flag is undefined. For shifts of one or more bit positions, 
the state of AF flag is undefined. 

SHLD (Shift Left Double) shifts bits of the destination operand to the left, while filling 
empty bit positions with bits shifted out of the source operand (see Figure 3-9). The 
result is stored back into the destination operand. The source operand is not modified. 

SHRD (Shift Right Double) shifts bits of the destination operand to the right, while 
filling empty bit positions with bits shifted out of the source operand (see Figure 3-10). 
The result is stored back into the destination operand. The source operand is not 
modified. 

3.4.4.3 ROTATE INSTRUCTIONS 

Rotate instructions apply a circular permutation to bytes, words, and doublewords. Bits 
rotated out of one end of an operand enter through the other end. Unlike a shift, no bits 
are emptied during a rotation. 

Rotate instructions use only the CF and OF flags. The CF flag may act as an extension 
of the operand in two of the rotate instructions, allowing a bit to be isolated and then 
tested by a conditional jump instruction (JC or JNC). The CF flag always contains the 
value of the last bit rotated out of the operand, even if the instruction does not use the 
CF flag as an extension of the operand. The state of the SF, ZF, AF, and FF flags is not 
affected. 



DESTINATION 



I CF I < I MEMORY OR REGISTER |^ 1 



REGISTER 
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Figure 3-9. SHLD Instruction 



Q: 



^ 



DESTINATION 



\ REGISTER [— ►! CF I 



Figure 3-10. SHRD Instruction 
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In a single-bit rotation, the OF flag is set if the operation changes the uppermost bit 
(sign bit) of the destination operand. If the sign bit retains its original value, the OF flag 
is cleared. After a rotate of more than one bit position, the value of the OF flag is 
undefined. 

ROL (Rotate Left) rotates the byte, word, or doubleword destination operand left by one 
bit position or by the number of bits specified in the count operand (an immediate value 
or a value contained in the CL register). For each bit position of the rotation, the bit 
which exits from the left of the operand returns at the right. See Figure 3-11. 

ROR (Rotate Right) rotates the byte, word, or doubleword destination operand right by 
one bit position or by the number of bits specified in the count operand (an immediate 
value or a value contained in the CL register). For each bit position of the rotation, the 
bit which exits from the right of the operand returns at the left. See Figure 3-12. 

RCL (Rotate Through Carry Left) rotates bits in the byte, word, or doubleword destina- 
tion operand left by one bit position or by the number of bits specified in the count 
operand (an immediate value or a value contained in the CL register). 

This instruction differs from ROL in that it treats the CF flag as a one-bit extension on 
the upper end of the destination operand. Each bit which exits from the left side of the 
operand moves into the CF flag. At the same time, the bit in the CF flag enters the right 
side. See Figure 3-13. 



DESTINATION 



I CF l-«— I 1 MEMORY OR REGISTER |^ . 
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Figure 3-11. ROL instruction 



31 DESTINATION 



►[___ MEMORY OR REGISTER | — L-^^l CF | 



Figure 3-12. ROR Instruction 
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RCR (Rotate Through Carry Right) rotates bits in the byte, word, or doubleword desti- 
nation operand right by one bit position or by the number of bits specified in the count 
operand (an immediate value or a value contained in the CL register). 

This instruction differs from ROR in that it treats CF as a one-bit extension on the lower 
end of the destination operand. Each bit which exits from the right side of the operand 
moves into the CF flag. At the same time, the bit in the CF flag enters the left side. See 
Figure 3-14. 

3.4.4.4 FAST "BIT BLT" USING DOUBLE-SHIFT INSTRUCTIONS 

One purpose of the double shift instructions is to implement a bit string move, with 
arbitrary misalignment of the bit strings. This is called a "bit bit" (BIT BLock Transfer). 
A simple example is to move a bit string from an arbitrary offset into a doubleword- 
aligned byte string. A left-to-right string is moved 32 bits at a time if a double shift is 
used inside the move loop. 



nov 


ESI,ScrAddr 


nov 


EDI,DestAddr 


nov 


EBX,lilordCnt 


nov 


CL,RelDffsGt ; 


nov 


EDX, [ESIJ ; 


ADD 


ESI,^ 


BltLoop: 




LDDS 




SHLD 


EDX,EAX,CL 


XCHG 


EDX,EAX ; 


STDS 




DEC 


EBX ; 


JNZ 


BltLoop 



relative offset Dest-Src 
load first word of source 
bump source address 

new low order part 

EDX overwritten with aligned stuff 

Swap high/low order words 

Write out next aligned chunk 

Decrement loop count 



fB- 



DESTINATION 



MEMORY OR REGISTER 



3n 



Figure 3-13. RCL Instruction 
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Figure 3-14. RCR Instruction 
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This loop is simple, yet allows the data to be moved in 32-bit chunks for the highest 
possible performance. Without a double shift, the best which can be achieved is 16 bits 
per loop iteration by using a 32-bit shift, and replacing the XCHG instruction with a 
ROR instruction by 16 to swap the high and low words of registers. A more general loop 
than shown above would require some extra masking on the first doubleword moved 
(before the main loop), and on the last doubleword moved (after the main loop), but 
would have the same 32-bits per loop iteration as the code above. 



3.4.4.5 FAST BIT STRING INSERT AND EXTRACT 



The double shift instructions also make possible: 

© Fast insertion of a bit string from a register into an arbitrary bit location in a larger 
bit string in memory, without disturbing the bits on either side of the inserted bits 

® Fast extraction of a bit string into a register from an arbitrary bit location in a larger 
bit string in memory, without disturbing the bits on either side of the extracted bits 

The following coded examples illustrate bit insertion and extraction under various 
conditions: 



1. Bit String Insertion into Memory (when the bit string is 1-25 bits long, i.e., spans 
four bytes or less): 

Insert a right-justified bit string from a register into 
a bit string in memory. 



Assumptions: 

1. The base of the string array is doubleword aligned- 

E. The length of the bit string is an immediate value 

and the bit offset is held in a register. 

The ESI register holds the right-justified bit string 

to be inserted. 

The EDI register holds the bit offset of the start of the 

substring. 

The EAX register and ECX are also used- 



save original offset 

divide offset by fi (byte addr) 

get low three bits of offset 

move string dword into EAX 

right justify old bit field 

bring in new bits 

right justify new bit field 

bring to final position 

replace doubleword in memory 



nov 


ECX, EDI 


SHR 


EDI, 3 


AND 


CL,7H 


nov 


EAX,[EDI]strg_base 


RDR 


EAX,CL 


SHRD 


EAX, ESI, length 


RDL 


EAX, length 


RGL 


EAX,CL 



nDV[EDI]strg_base,EAX 
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2. Bit String Insertion into Memory (when the bit string is 1-31 bits long, i.e., spans 
five bytes or less): 

Insert a right-justified bit string from a register into 
a bit string in memory. 

Assumptions: 

1- The base of the string array is doubleword aligned. 

E. The length of the bit string is an immediate value 

and the bit offset is held in a register. 

The ESI register holds the right-justified bit string 

to be inserted. 

The EDI register holds the bit offset of the start of the 

substring. 

The EAX, EBX, ECX, and EDI registers also arQ used. 

temp storage for offset 
divide offset by 3E (dwords) 
multiply by 4 (byte address) 
get low five bits of offset 
move low string dword into EAX 
other string dword into EDX 
temp storage for part of string 
shift by offset within dword 
shift by offset within dword 
bring in new bits 
right justify new bit field 
temp storage for string 
shift by offset within word 
shift by offset within word 
replace dword in memory 
replace dword in memory 

3. Bit String Insertion into Memory (when the bit string is exactly 32 bits long, i.e., 
spans four or five bytes): 

Insert right-justified bit string from a register into 
a bit string in memory. 

Assumptions: 

1. The base of the string array is doubleword aligned. 
E- The length of the bit string is 3E bits 
and the bit offset is held in a register. 

The ESI register holds the 3S-bit string to be inserted. 

The EDI register holds the bit offset to the start of the 

substring. 

The EAX, EBX, ECX, and EDI registers also are used. 



riDv 


ECX, EDI 


SHR 


EDI, 5 


SHL 


EDI,E 


AND 


CL,1FH 


nov 


EAX,[EDI]strg_base 


(10V 


EDX,[EDI]strg_base+4 


nov 


EBX, EAX 


SHRD 


EAX, EDX, CL 


SHRD 


EAX, EBX, CL 


SHRD 


EAX, ESI, length 


ROL 


EAX, length 


nov 


EBX, EAX 


SHLD 


EAX, EDX, CL 


SHLD 


EDX, EBX, CL 


nov 


[EDI]strg_base,EAX 


nov 


[EDI]strg_base+4,EDX 



nov EDX, EDI 



', save original offset 
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SHR 


EDI, 5 


SHL 


EDI,E 


AND 


CL,1FH 


nov 


EAX,[EDI]strg_base 


nov 


EDX,[EDI]strg_base+N 


nov 


EBX,EAX 


SHRD 


EAX,EDX 


SHRD 


EDX,EBX 


nov 


EAX,ESI 


nov 


EBX,EAX 


SHLD 


EAX,EDX 


SHLD 


EDX,EBX 


nov 


[EDI]strg_basG,EAX 


nov 


[EDI]strg_basG,+q,EDX 



divide offset by 32 (dwords) 
multiply by ^ (byte address) 
isolate low five bits of offset 
move low string dword into EAX 
other string dword into EDX 
temp storage for part of string 
shift by offset within dword 
shift by offset within dword 
move 32-bit field into position 
temp storage for part of string 
shift by offset within word 
shift by offset within word 
replace dword in memory 
replace dword in memory 

4. Bit String Extraction from Memory (when the bit string is 1-25 bits long, i.e., spans 
four bytes or less): 

Extract a right-justified bit string into a register from 
a bit string in memory. 

Assumptions: 

1) The base of the string array is doubleword aligned. 

2) The length of the bit string is an immediate value 
and the bit offset is held in a register. 

The EAX register hold the right-justified, zero-padded 

bit string that was extracted. 

The EDI register holds the bit offset of the start of the 

substring. 

The EDI, and ECX registers also are used. 



nov ECX, EDI 

SHR EDI, 3 

AND. CL,7H 

nov EAX,[EDI]strg_base 

SHR EAX,CL 

AND EAX, mask 



temp storage for offset 
divide offset by fl (byte addr) 
get low three bits of offset 
move string dword into EAX 
shift by offset within dword 
extracted bit field in EAX 



5. Bit String Extraction from Memory (when bit string is 1-32 bits long, i.e., spans five 
bytes or less): 

Extract a right-justified bit string into a register from a 
bit string in memory. 

Assumptions: 

1) The base of the string array is doubleword aligned. 

2) The length of the bit string is an immediate 
value and the bit offset is held in a register. 

The EAX register holds the right-justified, zero-padded 
bit string that was extracted. 
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nov 


ECX,EDI 


SHR 


EDI,S 


SHL 


EDI, 2 


AND 


CL,1PH 


fIDV 


EAX,[EDI]strg_base 


fIDV 


EDX,[EDI]strg_basG +^ 


SHRD 


EAX,EDX,CL 


AND 


EAX,inask 



The EDI register holds the bit offset of the start of the 

substring. 

The EAX, EBX, and ECX registers also avQ used. 

temp storage for offset 
divide offset by 35 (dwords) 
multiply by ^ (byte address) 
get low five bits of offset in 
move low string dword into EAX 
other string dword into EDX 
shift right by offset in dword 
extracted bit field in EAX 



3.4,5 Byte-Set-On-Condition Instructions 

This group of instructions sets a byte to the value of zero or one, depending on any of 
the 16 conditions defined by the status flags. The byte may be in a register or in memory. 
These instructions are especially useful for implementing Boolean expressions in high- 
level languages such as Pascal. 

Some languages represent a logical one as an integer with all bits set. This can be done 
by using the SETcc instruction with the mutually exclusive condition, then decrementing 
the result. 

SETcc (Set Byte on Condition cc) loads the value 1 into a byte if condition cc is true; 
clears the byte otherwise. See Appendix D for a definition of the possible conditions. 



3.4.6 Test Instruction 

TEST (Test) performs the logical "and" of the two operands, clears the OF and CF 
flags, leaves the AF flag undefined, and updates the SF, ZF, and PF flags. The flags can 
be tested by conditional control transfer instructions or the byte-set-on-condition in- 
structions. The operands may be bytes, words, or doublewords. 

The difference between the TEST and AND instructions is the TEST instruction does 
not alter the destination operand. The difference between the TEST and BT instructions 
is the TEST instruction can test the value of multiple bits in one operation, while the BT 
instruction tests a single bit. 



3.5 CONTROL TRANSFER INSTRUCTIONS 

The 386 DX microprocessor provides both conditional and unconditional control trans- 
fer instructions to direct the flow of execution. Conditional transfers are executed only 
for certain combinations of the state of the flags. Unconditional control transfers are 
always executed. 
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3.5.1 Unconditional Transfer Instructions 

The JMP, CALL, RET, INT and IRET instructions transfer execution to a destination 
in a code segment. The destination can be within the same code segment {near transfer) 
or in a different code segment (far transfer). The forms of these instructions which 
transfer execution to other segments are discussed in a later section of this chapter. If 
the model of memory organization used in a particular application does not make seg- 
ments visible to application programmers, far transfers will not be used. 

3.5.1.1 JUMP INSTRUCTION 

JMP (Jump) unconditionally transfers execution to the destination. The JMP instruction 
is a one-way transfer of execution; it does not save a return address on the stack. 

The JMP instruction transfers execution from the current routine to a different routine. 
The address of the routine is specified in the instruction, in a register, or in memory. The 
location of the address determines whether it is interpreted as a relative address or an 
absolute address. 

Relative Address. A relative jump uses a displacement (immediate mode constant used 
for address calculation) held in the instruction. The displacement is signed and variable- 
length (byte or doubleword). The destination address is formed by adding the displace- 
ment to the address held in the EIP register. The EIP register then contains the address 
of the next instruction to be executed. 

Absolute Address. An absolute jump is used with a 32-bit segment offset in either of the 
following ways: 

1. The program can jump to an address in a general register. This 32-bit value is copied 
into the EIP register and execution continues. 

2. The destination address can be a memory operand specified using the standard 
addressing modes. The operand is copied into the EIP register and execution 
continues. 

3.5.1.2 CALL INSTRUCTIONS 

CALL (Call Procedure) transfers execution and saves the address of the instruction 
following the CALL instruction for later use by a RET (Return) instruction. CALL 
pushes the current contents of the EIP register on the stack. The RET instruction in the 
called procedure uses this address to transfer execution back to the calling program. 

CALL instructions, like JMP instructions, have relative and absolute forms. 

Indirect CALL instructions specify an absolute address in one of the following ways: 

L The program can jump to an address in a general register. This 32-bit value is copied 
into the EIP register, the return address is pushed on the stack, and execution 
continues. 
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2. The destination address can be a memory operand specified using the standard 
addressing modes. The operand is copied into the EIP register, the return address is 
pushed on the stack, and execution continues. 

3.5.1.3 RETURN AND RETURN-FROM-INTERRUPT INSTRUCTIONS 

RET (Return From Procedure) terminates a procedure and transfers execution to the 
instruction following the CALL instruction which originally invoked the procedure. The 
RET instruction restores the contents of the EIP register which were pushed on the 
stack when the procedure was called. 

The RET instructions have an optional immediate operand. When present, this constant 
is added to the contents of the ESP register, which has the effect of removing any 
parameters pushed on the stack before the procedure call. 

IRET (Return From Interrupt) returns control to an interrupted procedure. The IRET 
instruction differs from the RET instruction in that it also restores the EFLAGS register 
from the stack. The contents of the EFLAGS register are stored on the stack when an 
interrupt occurs. 



3.5.2 Conditional Transfer Instructions 

The conditional transfer instructions are jumps which transfer execution if the states in 
the EFLAGS register match conditions specified in the instruction. 

3.5.2.1 CONDITIONAL JUMP INSTRUCTIONS 

Table 3-3 shows the mnemonics for the jump instructions. The instructions listed as pairs 
are alternate names for the same instruction. The assembler provides these names for 
greater clarity in program listings. 

A form of the conditional jump instructions is available which uses a displacement added 
to the contents of the EIP register if the specified condition is true. The displacement 
may be a byte or doubleword. The displacement is signed; it can be used to jump for- 
ward or backward. 



3.5.2.2 LOOP INSTRUCTIONS 

The loop instructions are conditional jumps which use a value placed in the ECX regis- 
ter as a count for the number of times to run a loop. All loop instructions decrement the 
contents of the ECX register on each repetition and terminate when zero is reached. 
Four of the five loop instructions accept the ZF flag as a condition for terminating the 
loop before the count reaches zero. 
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Table 3-3. Conditional Jump Instructions 



Unsigned Conditional Jumps 


Mnemonic 


Flag States 


Description 


JA/JNBE 


(OF or ZF) = 


above/not below nor equal 


JAE/JNB 


OF = 


above or equal/not below 


JB/JNAE 


OF = 1 


below/not above nor equal 


JBE/JNA 


(OF or ZF) = 1 


below or equal/not above 


JO 


OF - 1 


carry 


JE/JZ 


ZF - 1 


equal/zero 


JNC 


OF = 


not carry 


JNE/JNZ 


ZF - 


not equal/not zero 


JNP/JPO 


PF = 


not parity/parity odd 


JP/JPE 


PF = 1 


parity/parity even 


Signed Conditional Jumps 


JG/JNLE 


((SF xor OF) or ZF) = 


greater/not less nor equal 


JGE/JNL 


(SF xor OF) = 


greater or equal/not less 


JUJNGE 


(SF xor OF) - 1 


less/not greater nor equal 


JLE/JNG 


((SF xor OF) or ZF) = 1 


less or equal/not greater 


JNO 


OF - 


not overflow 


JNS 


SF = 


not sign (non-negative) 


JO 


OF - 1 


overflow 


JS 


SF = 1 


sign (negative) 



LOOP (Loop While ECX Not Zero) is a conditional jump instruction which decrements 
the contents of the ECX register before testing for the loop-terminating condition. If 
contents of the ECX register are non-zero, the program jumps to the destination speci- 
fied in the instruction. The LOOP instruction causes the execution of a block of code to 
be repeated until the count reaches zero. When zero is reached, execution is transferred 
to the instruction immediately following the LOOP instruction. If the value in the ECX 
register is zero when the instruction is first called, the count is predecremented to 
OFFFFFFFFH and the LOOP runs 2^^ times. 



LOOPE (Loop While Equal) and LOOPZ (Loop While Zero) are synonyms for the same 
instruction. These instructions are conditional jumps which decrement the contents of 
the ECX register before testing for the loop-terminating condition. If the contents of the 
ECX register are non-zero and the ZF flag is set, the program jumps to the destination 
specified in the instruction. When zero is reached or the ZF flag is clear, execution is 
transferred to the instruction immediately following the LOOPE/LOOPZ instruction. 



LOOPNE (Loop While Not Equal) and LOOPNZ (Loop While Not Zero) are synonyms 
for the same instruction. These instructions are conditional jumps which decrement the 
contents of the ECX register before testing for the loop-terminating condition. If the 
contents of the ECX register are non-zero and the ZF flag is clear, the program jumps to 
the destination specified in the instruction. When zero is reached or the ZF flag is set, 
execution is transferred to the instruction immediately following the LOOPE/LOOPZ 
instruction. 
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3.5.2.3 EXECUTING A LOOP OR REPEAT ZERO TIMES 

JECXZ (Jump if ECX Zero) jumps to the destination specified in the instruction if the 
ECX register holds a value of zero. The JECXZ instruction is used in combination with 
the LOOP instruction and with the string scan and compare instructions. Because these 
instructions decrement the contents of the ECX register before testing for zero, a loop 
will run 2'^^ times if the loop is entered with a zero value in the ECX register. The 
JECXZ instruction is used to create loops which fall through without executing when the 
initial value is zero. A JECXZ instruction at the beginning of a loop can be used to jump 
out of the loop if the count is zero. When used with repeated string scan and compare 
instructions, the JECXZ instruction can determine whether the loop terminated due to 
the count or due to satisfaction of the scan or compare conditions. 



3.5.3 Software Interrupts 

The INT, INTO, and BOUND instructions allow the programmer to specify a transfer of 
execution to an exception or interrupt handler. 

INTrt (Software Interrupt) calls the handler specified by an interrupt vector encoded in 
the instruction. The INT instruction may specify any interrupt type. This instruction is 
used to support multiple types of software interrupts or to test the operation of interrupt 
service routines. The interrupt service routine terminates with an IRET instruction, 
which returns execution to the instruction following the INT instruction. 

INTO (Interrupt on Overflow) calls the handler for the overflow exception, if the OF 
flag is set. If the flag is clear, execution continues without calling the handler. The OF 
flag is set by arithmetic, logical, and string instructions. This instruction supports the use 
of software interrupts for handling error conditions, such as arithmetic overflow. 

BOUND (Detect Value Out of Range) compares the signed value held in a general reg- 
ister against an upper and lower limit. The handler for the bounds-check exception is 
called if the value held in the register is less than the lower bound or greater than the 
upper bound. This instruction supports the use of software interrupts for bounds check- 
ing, such as checking an array index to make sure it falls within the range defined for the 
array. 

The BOUND instruction has two operands. The first operand specifies the general reg- 
ister being tested. The second operand is the base address of two words or doublewords 
at adjacent locations in memory. The lower limit is the word or doubleword with the 
lower address; the upper limit has the higher address. The BOUND instruction assumes 
that the upper limit and lower limit are in adjacent memory locations. These limit values 
cannot be register operands; if they are, an invalid-opcode exception occurs. 

The upper and lower limits of an array can reside just before the array itself. This puts 
the array bounds at a constant offset from the beginning of the array. Because the 
address of the array already will be present in a register, this practice avoids extra bus 
cycles to obtain the effective address of the array bounds. 
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3.6 STRING OPERATIONS 

String operations manipulate large data structures in memory, such as alphanumeric 
character strings. See also the section on I/O for information about the string I/O in- 
structions (also known as block I/O instructions). 

The string operations are made by putting string instructions (which execute only one 
iteration of an operation) together with other features of the Intel386 architecture, such 
as repeat prefixes. The string instructions are: 

MOVS-Move String 
CMPS — Compare string 
SCAS — Scan string 
LODS- Load string 
STOS — Store string 

After a string instruction executes, the string source and destination registers point to 
the next elements in their strings. These registers automatically increment or decrement 
their contents by the number of bytes occupied by each string element. A string element 
can be a byte, word, or doubleword. The string registers are: 

ESI — Source index register 
EDI — Destination index register 

String operations can begin at higher addresses and work toward lower ones, or they can 
begin at lower addresses and work toward higher ones. The direction is controlled by: 

DF — Direction flag 

If the DF flag is clear, the registers are incremented. If the flag is set, the registers are 
decremented. These instructions set and clear the flag: 

STD — Set direction flag instruction 
CLD — Clear direction flag instruction 

To operate on more than one element of a string, a repeat prefix must be used, such as: 

REP — Repeat while the ECX register not zero 

REPE/REPZ — Repeat while the ECX register not zero and the ZF flag is set 

REPNE/REPNZ — Repeat while the ECX register not zero and the ZF flag is clear 

Exceptions or interrupts which occur during a string instruction leave the registers in a 
state which allows the string instruction to be restarted. The source and destination 
registers point to the next string elements, the EIP register points to the string instruc- 
tion, and the ECX register has the value it held following the last successful iteration. 
All that is necessary to restart the operation is to service the interrupt or fix the source 
of the exception, then execute an IRET instruction. 
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3.6.1 Repeat Prefixes 

The repeat prefixes REP (Repeat While ECX Not Zero), REPE/REPZ (Repeat While 
Equal/Zero), and REPNE/REPNZ (Repeat While Not Equal/Not Zero) specify repeated 
operation of a string instruction. This form of iteration allows string operations to pro- 
ceed much faster than would be possible with a software loop. 

When a string instruction has a repeat prefix, the operation executes until one of the 
termination conditions specified by the prefix is satisfied. 

For each repetition of the instruction, the string operation may be suspended by an 
exception or interrupt. After the exception or interrupt has been serviced, the string 
operation can restart where it left off. This mechanism allows long string operations to 
proceed without affecting the interrupt response time of the system. 

All three prefixes shown in Table 3-4 cause the instruction to repeat until the ECX 
register is decremented to zero, if no other termination condition is satisfied. The repeat 
prefixes differ in their other termination condition. The REP prefix has no other termi- 
nation condition. The REPE/REPZ and REPNE/REPNZ prefixes are used exclusively 
with the SCAS (Scan String) and CMPS (Compare String) instructions. The REPE/ 
REPZ prefix terminates if the ZF flag is clear. The REPNE/REPNZ prefix terminates if 
the ZF flag is set. The ZF flag does not require initialization before execution of a 
repeated string instruction, because both the SCAS and CMPS instructions affect the ZF 
flag according to the results of the comparisons they make. 

3.6.2 Indexing and Direction Flag Control 

Although the general registers are completely interchangable under most conditions, the 
string instructions require the use of two specific registers. The source and destination 
strings are in memory addressed by the ESI and EDI registers. The ESI register points 
to source operands. By default, the ESI register is used with the DS segment register. A 
segment-override prefix allows the ESI register to be used with the CS, SS, ES, FS, or 
GS segment registers. The EDI register points to destination operands. It uses the seg- 
ment indicated by the ES segment register; no segment override is allowed. The use of 
two different segment registers in one instruction permits operations between strings in 
different segments. 

When ESI and EDI are used in string instructions, they automatically are incremented 
or decremented after each iteration. String operations can begin at higher addresses and 
work toward lower ones, or they can begin at lower addresses and work toward higher 
ones. The direction is controlled by the DF flag. If the flag is clear, the registers are 

Table 3-4. Repeat Instructions 



Repeat Prefix 


Termination Condition 1 


Termination Condition 2 


REP 

REPE/REPZ 

REPNE/REPNZ 


m m m 
O O O 

II II II 
o o o 


none 
ZF-0 
ZF-1 
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incremented. If the flag is set, the registers are decremented. The STD and CLD in- 
structions set and clear this flag. Programmers should always put a known value in the 
DF flag before using a string instruction. 



3.6.3 String Instructions 

MOVS (Move String) moves the string element addressed by the ESI register to the 
location addressed by the EDI register. The MOVSB instruction moves bytes, the 
MOVSW instruction moves words, and the MOVSD instruction moves doublewords. 
The MOVS instruction, when accompanied by the REP prefix, operates as a memory- 
to-memory block transfer. To set up this operation, the program must initialize the ECX, 
ESI, and EDI registers. The ECX register specifies the number of elements in the block. 

CMPS (Compare Strings) subtracts the destination string element from the source string 
element and updates the AF, SF, PF, CF and OF flags. Neither string element is written 
back to memory. If the string elements are equal, the ZF flag is set; otherwise, it is 
cleared. CMPSB compares bytes, CMPSW compares words, and CMPSD compares 
doublewords. 

SCAS (Scan String) subtracts the destination string element from the EAX, AX, or AL 
register (depending on operand length) and updates the AF, SF, ZF, PF, CF and OF 
flags. The string and the register are not modified. If the values are equal, the ZF flag is 
set; otherwise, it is cleared. The SCASB instruction scans bytes; the SCASW instruction 
scans words; the SCASD instruction scans doublewords. 

When the REPE/REPZ or REPNE/REPNZ prefix modifies either the SCAS or CMPS 
instructions, the loop which is formed is terminated by the loop counter or the effect the 
SCAS or CMPS instruction has on the ZF flag. 

LODS (Load String) places the source string element addressed by the ESI register into 
the EAX register for doubleword strings, into the AX register for word strings, or into 
the AL register for byte strings. This instruction usually is used in a loop, where other 
instructions process each element of the string as they appear in the register. 

STOS (Store String) places the source string element from the EAX, AX, or AL register 
into the string addressed by the EDI register. This instruction usually is used in a loop, 
where it writes to memory the result of processing a string element read from memory 
with the LODS instruction. A REP STOS instruction is the fastest way to initialize a 
large block of memory. 



3.7 INSTRUCTIONS FOR BLOCK-STRUCTURED LANGUAGES 

These instructions provide machine-language support for implementing block-structured 
languages, such as C and Pascal. They include ENTER and LEAVE, which simplify 
procedure entry and exit in compiler-generated code. They support a structure of point- 
ers and local variables on the stack called a stack frame. 
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ENTER (Enter Procedure) creates a stack frame compatible with the scope rules of 
block-structured languages. In these languages, a procedure has access to its own vari- 
ables and some number of other variables defined elsewhere in the program. The scope 
of a procedure is the set of variables to which it has access. The rules for scope vary 
among languages; they may be based on the nesting of procedures, the division of the 
program into separately-compiled files, or some other modularization scheme. 

The ENTER instruction has two operands. The first specifies the number of bytes to be 
reserved on the stack for dynamic storage in the procedure being entered. Dynamic 
storage is the memory allocated for variables created when the procedure is called, also 
known as automatic variables. The second parameter is the lexical nesting level (from 
to 31) of the procedure. The nesting level is the depth of a procedure in the heirarchy of 
a block-structured program. The lexical level has no particular relationship to either the 
protection privilege level or to the I/O privilege level. 

The lexical nesting level determines the number of stack frame pointers to copy into the 
new stack frame from the preceding frame. A stack frame pointer is a doubleword used 
to access the variables of a procedure. The set of stack frame pointers used by a proce- 
dure to access the variables of other procedures is called the display. The first double- 
word in the display is a pointer to the previous stack frame. This pointer is used by a 
LEAVE instruction to undo the effect of an ENTER instruction by discarding the cur- 
rent stack frame. 

Example: ENTER E0Mfl,3 

Allocates 2K bytes of dynamic storage on the stack and sets up pointers to two 
previous stack frames in the stack frame for this procedure. 

After the ENTER instruction creates the display for a procedure, it allocates the dy- 
namic (automatic) local variables for the procedure by decrementing the contents of the 
ESP register by the number of bytes specified in the first parameter. This new value in 
the ESP register serves as the initial top-of-stack for all PUSH and POP operations 
within the procedure. 

To allow a procedure to address its display, the ENTER instruction leaves the EBP 
register pointing to the first doubleword in the display. Because stacks grow down, this is 
actually the doubleword with the highest address in the display. Data manipulation in- 
structions which specify the EBP register as a base register automatically address loca- 
tions within the stack segment instead of the data segment. 

The ENTER instruction can be used in two ways: nested and non-nested. If the lexical 
level is 0, the non-nested form is used. The non-nested form pushes the contents of the 
EBP register on the stack, copies the contents of the ESP register into the EBP register, 
and subtracts the first operand from the contents of the ESP register to allocate dynamic 
storage. The non-nested form differs from the nested form in that no stack frame point- 
ers are copied. The nested form of the ENTER instruction occurs when the second 
parameter (lexical level) is not zero. 
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Figure 3-15 shows the formal definition of the ENTER instruction. STORAGE is the 
number of bytes of dynamic storage to allocate for local variables, and LEVEL is the 
lexical nesting level. 

The main procedure (in which all other procedures are nested) operates at the highest 
lexical level, level L The first procedure it calls operates at the next deeper lexical level, 
level 2. A level 2 procedure can access the variables of the main program, which are at 
fixed locations specified by the compiler. In the case of level 1, the ENTER instruction 
allocates only the requested dynamic storage on the stack because there is no previous 
display to copy. 

A procedure which calls another procedure at a lower lexical level gives the called pro- 
cedure access to the variables of the caller. The ENTER instruction provides this access 
by placing a pointer to the calling procedure's stack frame in the display. 

A procedure which calls another procedure at the same lexical level should not give 
access to its variables. In this case, the ENTER instruction copies only that part of the 
display from the calling procedure which refers to previously nested procedures operat- 
ing at higher lexical levels. The new stack frame does not include the pointer for ad- 
dressing the calling procedure's stack frame. 

The ENTER instruction treats a re-entrant procedure as a call to a procedure at the 
same lexical level. In this case, each succeeding iteration of the re-entrant procedure can 
address only its own variables and the variables of the procedures within which it is 
nested. A re-entrant procedure always can address its own variables; it does not require 
pointers to the stack frames of previous iterations. 

By copying only the stack frame pointers of procedures at higher lexical levels, the 
ENTER instruction makes certain that procedures access only those variables of higher 
lexical levels, not those at parallel lexical levels (see Figure 3-16). 

Block-structured languages can use the lexical levels defined by ENTER to control ac- 
cess to the variables of nested procedures. In the figure, for example, if PROCEDURE 
A calls PROCEDURE B which, in turn, calls PROCEDURE C, then PROCEDURE C 



Push EBP 

Set a t empo r a r y va 1 ue FRAME_PTR := ESP 

If LEVEL > then 

Repeat (LEVEL- 1 ) times: 
E B P : « E B P - 4 
Push the doubleword pointed to by EBP 

End repeat 

Push FRAME_PTR 
End if 

EBP :« FRAME_PTR 
ESP : = ESP - STORAGE 



Figure 3-15. Formal Definition of the ENTER Instruction 
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Figure 3-16. Nested Procedures 

will have access to the variables of MAIN and PROCEDURE A, but not those of 
PROCEDURE B because they are at the same lexical level. The following (definition 
describes the access to variables for the nested procedures in the figure. 

1. MAIN has variables at fked locations. 

2. PROCEDURE A can access only the variables of MAIN. 

3. PROCEDURE B can access only the variables of PROCEDURE A and MAIN. 
PROCEDURE B cannot access the variables of PROCEDURE C or PROCE- 
DURE D. 

4. PROCEDURE C can access only the variables of PROCEDURE A and MAIN. 
PROCEDURE C cannot access the variables of PROCEDURE B or PROCE- 
DURE D. 

5. PROCEDURE D can access the variables of PROCEDURE C, PROCEDURE A, 
and MAIN. PROCEDURE D cannot access the variables of PROCEDURE B. 

In the following diagram, an ENTER instruction at the beginning of the MAIN program 
creates three doublewords of dynamic storage for MAIN, but copies no pointers from 
other stack frames (See Figure 3-17). The first doubleword in the display holds a copy of 
the last value in the EBP register before the ENTER instruction was executed. The 
second doubleword (which, because stacks grow down, is stored at a lower address) 
holds a copy of the contents of the EBP register following the ENTER instruction. After 
the instruction is executed, the EBP register points to the first doubleword pushed on 
the stack, and the ESP register points to the last doubleword in the stack frame. 

When MAIN calls PROCEDURE A, the ENTER instruction creates a new display (See 
Figure 3-18). The first doubleword is the last value held in MAIN'S EBP register. The 
second doubleword is a pointer to MAIN'S stack frame which is copied from the second 
doubleword in MAIN'S display. This happens to be another copy of the last value held in 
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Figure 3-17. Stack Frame After Entering MAIN 
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Figure 3-18. Stack Frame After Entering PROCEDURE A 
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main's EBP register. PROCEDURE A can access variables in MAIN because MAIN 
is at level 1. Therefore the base address for the dynamic storage used in MAIN is the 
current address in the EBP register, plus four bytes to account for the saved contents of 
MAIN'S EBP register. All dynamic variables for MAIN are at fixed, positive offsets from 
this value. 

When PROCEDURE A calls PROCEDURE B, the ENTER instruction creates a new 
display (See Figure 3-19). The first doubleword holds a copy of the last value in PRO- 
CEDURE A's EBP register. The second and third doublewords are copies of the two 
stack frame pointers in PROCEDURE A's display. PROCEDURE B can access vari- 
ables in PROCEDURE A and MAIN by using the stack frame pointers in its display. 
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Figure 3-19. Stack Frame After Entering PROCEDURE B 



3-34 



Intel' 



APPLICATION PROGRAMMING 



When PROCEDURE B calls PROCEDURE C, the ENTER instruction creates a new 
display for PROCEDURE C (See Figure 3-20). The first doubleword holds a copy of the 
last value in PROCEDURE B's EBP register. This is used by the LEAVE instruction to 
restore PROCEDURE B's stack frame. The second and third doublewords are copies of 
the two stack frame pointers in PROCEDURE A's display. If PROCEDURE C were at 
the next deeper lexical level from PROCEDURE B, a fourth doubleword would be 
copied, which would be the stack frame pointer to PROCEDURE B's local variables. 

Note that PROCEDURE B and PROCEDURE C are at the same level, so PROCE- 
DURE C is not intended to access PROCEDURE B's variables. This does not mean 
that PROCEDURE C is completely isolated from PROCEDURE B; PROCEDURE C 
is called by PROCEDURE B, so the pointer to the returning stack frame is a pointer to 
PROCEDURE B's stack frame. In addition, PROCEDURE B can pass parameters to 
PROCEDURE C either on the stack or through variables global to both procedures 
(i.e., variables in the scope of both procedures). 

LEAVE (Leave Procedure) reverses the action of the previous ENTER instruction. The 
LEAVE instruction does not have any operands. The LEAVE instruction copies the 
contents of the EBP register into the ESP register to release all stack space allocated to 
the procedure. Then the LEAVE instruction restores the old value of the EBP register 
from the stack. This simultaneously restores the ESP register to its original value. A 
subsequent RET instruction then can remove any arguments and the return address 
pushed on the stack by the calling program for use by the procedure. 

3.8 FLAG CONTROL INSTRUCTIONS 

The flag control instructions change the state of bits in the EFLAGS register, as shown 
in Table 3-5. 



3.8.1 Carry and Direction Flag Control Instructions 

The carry flag instructions are useful with instructions like the rotate-with-carry instruc- 
tions RCL and RCR. They can initialize the carry flag, CF, to a known state before 
execution of an instruction which copies the flag into an operand. 

The direction flag control instructions set or clear the direction flag, DF, which controls 
the direction of string processing. If the DF flag is clear, the processor increments the 
string index registers, ESI and EDI, after each iteration of a string instruction. If the DF 
flag is set, the processor decrements these index registers. 

3.8.2 Flag Transfer Instructions 

Though specific instructions exist to alter the CF and DF flags, there is no direct method 
of altering the other application-oriented flags. The flag transfer instructions allow a 
program to change the state of the other flag bits using the bit manipulation instructions 
once these flags have been moved to the stack or the AH register. 
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Figure 3-20. Stack Frame After Entering PROCEDURE C 
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Table 3-5. Flag Control Instructions 



Instruction 


Effect 


STC (Set Carry Flag) 
CLC (Clear Carry Flag) 
CMC (Complement Carry Flag) 
CLD (Clear Direction Flag) 
STD (Set Direction Flag) 


CF<-1 
CF^O 
CF ^ - (CF) 
DF<-0 
DF^1 



The LAHF and SAHF instructions deal with five of the status flags, which are used 
primarily by the arithmetic and logical instructions. 

LAHF (Load AH from Flags) copies the SF, ZF, AF, FF, and CF flags to the AH register 
bits 7, 6, 4, 2, and 0, respectively (see Figure 3-21). The contents of the remaining bits 5, 
3, and 1 are left undefined. The contents of the EFLAGS register remain unchanged. 

SAHF (Store AH into Flags) copies bits 7, 6, 4, 2, and from the AH register into the SF, 
ZF, AF, FF, and CF flags, respectively (see Figure 3-21). 

The PUSHF and POPF instructions are not only useful for storing the flags in memory 
where they can be examined and modified, but also are useful for preserving the state of 
the EFLAGS register while executing a subroutine. 

PUSHF (Push Flags) pushes the lower word of the EFLAGS register onto the stack (see 
Figure 3-22). The PUSHED instruction pushes the entire EFLAGS register onto the 
stack (the RF flag reads as clear, however). 

POPF (Pop Flags) pops a word from the stack into the EFLAGS register. Only bits 14, 
11, 10, 8, 7, 6, 4, 2, and are affected with all uses of this instruction. If the privilege 
level of the current code segment is (most privileged), the lOPL bits (bits 13 and 12) 
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Figure 3-21. Low Byte of EFLAGS Register 
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Figure 3-22. Flags Used with PUSHF and POPF 

also are affected. If the I/O privilege level (lOPL) is 0, the IF flag (bit 9) also is affected. 
The POPFD instruction pops a doubleword into the EFLAGS register, but it only can 
change the state of the same bits affected by a POPF instruction. 



3.9 COPROCESSOR INTERFACE INSTRUCTIONS 

The 387 DX Numerics Coprocessor provides an extension to the instruction set of the 
base architecture. The coprocessor extends the instruction set of the 386 DX micropro- 
cessor to support high-precision integer and floating-point calculations. These extensions 
include arithmetic, comparison, transcendental, and data transfer instructions. The co- 
processor also contains frequently-used constants, to enhance the speed of numeric 
calculations. 

The coprocessor instructions are embedded in the instructions for the 386 DX micropro- 
cessor, as though they were being executed by a single processor having both integer and 
floating-point capabilities. But the coprocessor actually works in parallel with the 386 
microprocessor, so the performance is higher. 

The 386 DX microprocessor also has features to support emulation of the numerics 
coprocessor when the coprocessor is absent. The software emulation of the coprocessor 
is transparent to application software, but much slower. See Chapter 11 for more infor- 
mation on coprocessor emulation. 

ESC (Escape) is a bit pattern which identifies floating-point arithmetic instructions. The 
ESC bit pattern tells the processor to send the opcode and operand addresses to the 
numerics coprocessor. The coprocessor uses instructions containing the ESC bit pattern 
to perform high-performance, high-precision floating point arithmetic. When the copro- 
cessor is not present, these instructions generate coprocessor-not-available exceptions. 
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WAIT (Wait) is an instruction which suspends program execution while the BUSY# pin 
is active. The signal on this pin indicates that the coprocessor has not completed an 
operation. When the operation completes, the processor resumes execution and can 
read the result. The WAIT instruction is used to synchronize the processor with the 
coprocessor. Typically, a coprocessor instruction is launched, a WAIT instruction is ex- 
ecuted, then the results of the coprocessor instruction are read. Between the coprocessor 
instruction and the WAIT instruction, there is an opportunity to execute some number 
of non-coprocessor instructions in parallel with the coprocessor instruction. 

3.10 SEGMENT REGISTER INSTRUCTIONS 

There are several distinct types of instructions which use segment registers. They are 
grouped together here because, if system designers choose an unsegmented model of 
memory organization, none of these instructions are used. The instructions which deal 
with segment registers are: 

1. Segment-register transfer instructions. 

nOV SegReg, ... 
riDV ..., SegReg 
PUSH SegReg 
POP SegReg 

2. Control transfers to another executable segment. 

JHP far 
CALL far 
RET far 

3. Data pointer instructions. 

LDS reg, Nfl-bit memory operand 

LES reg, 4fi-bit memory operand 

LFS reg, ^fl-bit memory operand 

LGS reg, ^fl-bit memory operand 

LSS reg, ^fl-bit memory operand 

4. Note that the following interrupt-related instructions also are used in unsegmented 
systems. Although they can transfer execution between segments when segmentation 
is used, this is transparent to the application programmer. 

INT n 
INTO 
BOUND 
IRET 

3.10.1 Segment-Register Transfer Instructions 

Forms of the MOV, POP, and PUSH instructions also are used to load and store seg- 
ment registers. These forms operate like the general-register forms, except that one 
operand is a segment register. The MOV instruction cannot copy the contents of a 
segment register into another segment register. 
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The POP and MOV instructions cannot place a value in the CS register (code segment); 
only the far control-transfer instructions affect the CS register. When the destination is 
the SS register (stack segment), interrupts are disabled until after the next instruction. 

When a segment register is loaded, the signal on the LOCK# pin of the processor is 
asserted. This prevents other bus masters from modifying a segment descriptor while it is 
being read. 

No 16-bit operand size prefix is needed when transferring data between a segment reg- 
ister and a 32-bit general register. 



3.10.2 Far Control Transfer Instructions 

The far control-transfer instructions transfer execution to a destination in another seg- 
ment by replacing the contents of the CS register. The destination is specified by a far 
pointer, which is a 16-bit segment selector and a 32-bit offset into the segment. The far 
pointer can be an immediate operand or an operand in memory. 

Far CALL. An intersegment CALL instruction places the values held in the EIP and CS 
registers on the stack. 

Far RET. An intersegment RET instruction restores the values of the CS and EIP reg- 
isters from the stack. 



3.10.3 Data Pointer Instructions 

The data pointer instructions load a far pointer into the processor registers. A far 
pointer consists of a 16-bit segment selector, which is loaded into a segment register, and 
a 32-bit offset into the segment, which is loaded into a general register. 

LDS (Load Pointer Using DS) copies a far pointer from the source operand into the DS 
register and a general register. The source operand must be a memory operand, and the 
destination operand must be a general register. 

Example: LDS ESI, STRING_X 

Loads the DS register with the segment selector for the segment addressed by 
STRING_X, and loads the offset within the segment to STRING_X into the ESI 
register. Specifying the ESI register as the destination operand is a convenient way 
to prepare for a string operation, when the source string is not in the current data 
segment. 

LES (Load Pointer Using ES) has the same effect as the LDS instruction, except the 
segment selector is loaded into the ES register rather than the DS register. 

Example: LES EDI, DESTINATION_X 
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Loads the ES register with the segment selector for the segment addressed by DES- 
TINATION_X, and loads the offset within the segment to DESTINATION_X into 
the EDI register. This instruction is a convenient way to select a destination for a 
string operation if the desired location is not in the current E-data segment. 

LFS (Load Pointer Using FS) has the same effect as the LDS instruction, except the FS 
register receives the segment selector rather than the DS register. 

LGS (Load Pointer Using GS) has the same effect as the LDS instruction, except the GS 
register receives the segment selector rather than the DS register. 

LSS (Load Pointer Using SS) has the same effect as the LDS instruction, except the SS 
register receives the segment selector rather than the DS register. This instruction is 
especially important, because it allows the two registers which identify the stack (the SS 
and ESP registers) to be changed in one uninterruptible operation. Unlike the other 
instructions which can load the SS register, interrupts are not inhibited at the end of the 
LSS instruction. The other instructions, such as POP SS, turn off interrupts to permit 
the following instruction to load the ESP register without an intervening interrupt. Since 
both the SS and ESP registers can be loaded by the LSS instruction, there is no need to 
disable or re-enable interrupts. 



3.11 MISCELLANEOUS INSTRUCTIONS 

The following instructions do not fit in any of the previous categories, but are no less 
important. 



3.11.1 Address Calculation Instruction 

LEA (Load Effective Address) puts the 32-bit offset to a source operand in memory 
(rather than its contents) into the destination operand. The source operand must be in 
memory, and the destination operand must be a general register. This instruction is 
especially useful for initializing the ESI or EDI registers before the execution of string 
instructions or initializing the EBX register before an XLAT instruction. The LEA in- 
struction can perform any indexing or scaling which may be needed. 

Example: LEA EBX, EBCDIC.TABLE 

Causes the processor to place the address of the starting location of the table la- 
beled EBCDIC_TABLE into EBX. 



3.11.2 No-Operation Instruction 

NOP (No Operation) occupies a byte of code space. When executed, it increments the 
EIP register to point at the next instruction, but affects nothing else. 
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3.11.3 Translate Instruction 

XLATB (Translate) replaces the contents of the AL register with a byte read from a 
translation table in memory. The contents of the AL register are interpreted as an 
unsigned index into this table, with the contents of the EBX register used as the base 
address. The XLAT instruction does the same operation and loads its result into the 
same register, but it gets the byte operand from memory. This function is used to convert 
character codes from one alphabet into another. For example, an ASCII code could be 
used to look up its EBCDIC equivalent. 



3.12 USAGE GUIDELINES 

The instruction set of the 386 DX microprocessor has been designed with certain pro- 
gramming practices in mind. These practices are particularly relevant to assembly lan- 
guage programmers, but may be of interest to compiler designers as well. 



• 



• 



Use the EAX register when possible. Many instructions are one byte shorter when 
the EAX register is used, such as loads and stores to memory when absolute ad- 
dresses are used, transfers to other registers using the XCHG instruction, and oper- 
ations using immediate operands. 

Use the D-data segment when possible. Instructions which deal with the D-space are 
one byte shorter than instructions which use the other data segments, because of the 
lack of a segment-override prefix. 

• Emphasize short one-, two-, and three-byte instructions. Because instructions for the 
386 DX microprocessor begin and end on byte boundaries, it has been possible to 
provide many instruction encodings which are more compact than those for proces- 
sors with word-aligned instruction sets. An instruction in a word-aligned instruction 
set must be either two or four bytes long (or longer). Byte alignment reduces code 
size and increases execution speed. 

• Access 16-bit data with the MOVSX and MOVZX instructions. These instructions 
sign-extend and zero-extend word operands to doubleword length. This eliminates the 
need for an extra instruction to initialize the high word. 

• For fastest interrupt response, use the NMI interrupt when possible. 

• In place of using an ENTER instruction at lexical level 0, use a code sequence like: 

PUSH EBP 

nOV EBP, ESP 

SUB ESP, BYTE_CDUNT 

This executes in six clock cycles, rather than ten. 

The following techniques may be applied as optimizations to enhance the speed of a 
system after its basic functions have been implemented: 

• The jump instructions come in two forms: one form has an eight-bit immediate for 
relative jumps in the range from 128 bytes back to 127 bytes forward, the other form 
has a full 32-bit displacement. Many assemblers use the long form in situations where 
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the short form can be used. When it is clear that the short form may be used, expHc- 
itly specify the destination operand as being byte length. This tells the assembler to 
use the short form. If the assembler does not support this function, it will generate an 
error. Note that some assemblers perform this optimization automatically. 

Use the ESP register to reference the stack in the deepest level of subroutines. Don't 
bother setting up the EBP register and stack frame. 

For fastest task switching, perform task switching in software. This allows a smaller 
processor state to be saved and restored. See Chapter 7 for a discussion of 
multitasking. 

Use the LEA instruction for adding registers together. When a base register and 
index register are used with the LEA instruction, the destination is loaded with their 
sum. The contents of the index register may be scaled by 2, 4, or 8. 

Use the LEA instruction for adding a constant to a register. When a base register and 
a displacement are used with the LEA instruction, the destination is loaded with their 
sum. The LEA instruction can be used with a base register, index register, scale 
factor, and displacement. 

Use integer move instructions to transfer floating-point data. 

Use the form of the RET instruction which takes an immediate value for byte-count. 
This is a faster way to remove parameters from the stack than an ADD ESP instruc- 
tion. It saves three clock cycles on every subroutine return, and 10% in code size. 

When several references are made to a variable addressed with a displacement, load 
the displacement into a register. 
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CHAPTER 4 
SYSTEM ARCHITECTURE 



Many of the architectural features of the 386^" DX microprocessor are used only by 
system programmers. This chapter presents an overview of these features. Application 
programmers may need to read this chapter, and the following chapters which describe 
the use of these features, in order to understand the hardware facilities used by system 
programmers to create a reliable and secure environment for application programs. The 
system-level architecture also supports powerful debugging features which application 
programmers may wish to use during program development. 

The system-level features of the Intel386™ architecture include: 

Memory Management 

Protection 

Multitasking 

Input/Output 

Exceptions and Interrupts 

Initialization 

Coprocessing and Multiprocessing 

Debugging 

These features are supported by registers and instructions, all of which are introduced in 
the following sections. The purpose of this chapter is not to explain each feature in 
detail, but rather to place the remaining chapters of Part II in perspective. When a 
register or instruction is mentioned, it is accompanied by an explanation or a reference 
to a following chapter. 



4.1 SYSTEM REGISTERS 

The registers intended for use by system programmers fall into these categories: 

EFLAGS Register 
Memory-Management Registers 
Control Registers 
Debug Registers 
Test Registers 

The system registers control the execution environment of application programs. Most 
systems restrict access to these facilities by application programs (although systems can 
be built where all programs run at the most privileged level, in which case application 
programs are allowed to modify these facilities). 
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4.1.1 System Flags 



The system flags of the EFLAGS register control I/O, maskable interrupts, debugging, 
task switching, and the virtual-8086 mode. An application program should ignore these 
flags. An application program should not attempt to change their state. In most systems, 
an attempt to change the state of a system flag by an application program results in an 
exception. The 386 DX microprocessor makes use of some of the bit positions which are 
reserved on the 386 DX microprocessor. A 386 DX program should not attempt to 
change the state of these bits. These flags are shown in Figure 4-1. 



VM (Virtual-8086 Mode, bit 17) 



Setting the VM flag places the processor in virtual-8086 mode. This is an emulation 
of the programming environment of an 8086 processor. See Chapter 15 for more 
information. 



RF (Resume Flag, bit 16) 



The RF flag temporarily disables debug exceptions so that an instruction can be 
restarted after a debug exception without immediately causing another debug excep- 
tion. When the debugger is entered, this flag allows it to run normally (rather than 
recursively calling itself until the stack overflows). The RF flag is not affected by the 
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Figure 4-1 . System Flags 
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POPF instruction, but it is affected by the POPFD and IRET instructions. See 
Chapter 12 for details. 

NT (Nested Task, bit 14) 

The processor uses the nested task flag to control chaining of interrupted and called 
tasks. The NT flag affects the operation of the IRET instruction. The NT flag is 
affected by the POPF, POPFD, and IRET instructions. Improper changes to the 
state of this flag can generate unexpected exceptions in application programs. See 
Chapter 7 and Chapter 9 for more information on nested tasks. 

lOPL (I/O Privilege Level, bits 12 and 13) 

The I/O privilege level is used by the protection mechanism to control access to the 
I/O address space. The privilege level of the code segment currently executing 
(CPL) and the lOPL determine whether this field can be modified by the POPF, 
POPFD, and IRET instructions. See Chapter 8 for more information. 

IF (Interrupt-Enable Flag, bit 9) 

Setting the IF flag puts the processor in a mode in which it responds to maskable 
interrupt requests (INTR interrupts). Clearing the IF flag disables these interrupts. 
The IF flag has no effect on either exceptions or nonmaskable interrupts (NMI 
interrupts). The CPL and lOPL determine whether this field can be modified by the 
CLI, STI, POPF, POPFD, and IRET instructions. See Chapter 9 for more details 
about interrupts. 

TF (Trap Flag, bit 8) 

Setting the TF flag puts the processor into single-step mode for debugging. In this 
mode, the processor generates a debug exception after each instruction, which al- 
lows a program to be inspected as it executes each instruction. Single-stepping is just 
one of several debugging features of the 386 DX microprocessor. If an application 
program sets the TF flag using the POPF, POPFD, or IRET instructions, a debug 
exception is generated. See Chapter 12 for more information. 



4.1.2 Memory-Management Registers 

Four registers of the 386 DX microprocessor specify the location of the data structures 
which control segmented memory management, as shown in Figure 4-2. Special instruc- 
tions are provided for loading and storing these registers. The GDTR and IDTR regis- 
ters may be loaded with instructions which get a six-byte block of data from memory. 
The LDTR and TR registers may be loaded with instructions which take a 16-bit seg- 
ment selector as an operand. The remaining bytes of these registers are then loaded 
automatically by the processor from the descriptor referenced by the operand. 

4-3 



Intel' 



SYSTEM ARCHITECTURE 



SELECTOR 
15 


31 


BASE ADDRESS 


15 


LIMIT 





TR 
LDTR 
IDTR 
GDTR 

2403311 












1 








., 1 






























1 1 




1 









Figure 4-2. Memory Management Registers 

Most systems will protect the instructions which load memory-management registers 
from use by application programs (although a system in which no protection is used is 
possible). 

GDTR Global Descriptor Table Register 

This register holds the 32-bit base address and 16-bit segment limit for the 
global descriptor table (GDT). When a reference is made to data in mem- 
ory, a segment selector is used to find a segment descriptor in the GDT or 
LDT. A segment descriptor contains the base address for a segment. See 
Chapter 5 for an explanation of segmentation. 

LDTR Local Descriptor Table Register 

This register holds the 32-bit base address, 16-bit segment limit, and 16-bit 
segment selector for the local descriptor table (LDT). The segment which 
contains the LDT has a segment descriptor in the GDT. There is no seg- 
ment descriptor for the GDT. When a reference is made to data in mem- 
ory, a segment selector is used to find a segment descriptor in the GDT or 
LDT. A segment descriptor contains the base address for a segment. See 
Chapter 5 for an explanation of segmentation. 

IDTR Interrupt Descriptor Table Register 

This register holds the 32-bit base address and 16-bit segment limit for the 
interrupt descriptor table (IDT). When an interrupt occurs, the interrupt 
vector is used as an index to get a gate descriptor from this table. The gate 
descriptor contains a far pointer used to start up the interrupt handler. See 
Chapter 9 for details of the interrupt mechanism. 
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TR 



Task Register 



This register holds the 32-bit base address, 16-bit segment Hmit, and 16-bit 
segment selector for the task currently being executed. It references a task 
state segment (TSS) descriptor in the global descriptor table. See 
Chapter 7 for a description of the multitasking features of the 386 DX 
microprocessor. 



4.1.3 Control Registers 

Figure 4-3 shows the format of the control registers CRO, CRl, CR2, and CR3. Most 
systems prevent application programs from loading the control registers (although an 
unprotected system would allow this). Application programs can read this register to 
determine if a numerics coprocessor is present. Forms of the MOV instruction allow the 
register to be loaded from or stored in general registers. For example: 

nOV EAX, CR0 
nOV CR3, EBX 

The CRO register contains system control flags, which control modes or indicate states 
which apply generally to the processor, rather than to the execution of an individual task. 
A program should not attempt to change any of the reserved bit positions. 

PG (Paging, bit 31) 

This bit enables paging when set, and disables paging when clear. See Chapter 5 for 
more information about paging. See Chapter 10 for information on how to enable 
paging. 

R (Reserved, bit 4) 

This bit is reserved by Intel. When loading CRO, care should be taken not to alter 
the value of this bit. 



-h 
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PAGE FAULT LINEAR ADDRESS 



CR3 
CR2 
CR1 
CRO 



Figure 4-3. Control Registers 
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TS (Task Switched, bit 3) 

The processor sets the TS bit with every task switch and tests it when interpreting 
coprocessor instructions. See Chapter 11 for more information. 

EM (Emulation, bit 2) 

When set, the EM bit indicates coprocessor functions are to be emulated in soft- 
ware. See Chapter 11 for more information. 

MP (Math Present, bit 1) 

The MP bit controls the function of the WAIT instruction, which is used to synchro- 
nize with a coprocessor. See Chapter 11 for more information. 

PE (Protection Enable, bit 0) 

Setting the PE bit enables protection of segments and pages. See Chapter 6 for more 
information about protection. See Chapter 10 and Chapter 14 for information on 
how to enable paging. 

When an exception is generated during paging, the CR2 register has the 32-bit linear 
address which caused the exception. See Chapter 9 for more information about handling 
exceptions generated during paging (page faults). 

When paging is used, the CR3 register has the 20 most-significant bits of the address of 
the page directory (the first-level page table). Note that the page directory must be 
aligned to a page boundary, so the low 12 bits of the register must be kept clear. The 
CR3 register is also known as the page-directory base register (PDBR). 



4.1.4 Debug Registers 

The debug registers bring advanced debugging abilities to the 386 DX microprocessor, 
including data breakpoints and the ability to set instruction breakpoints without modify- 
ing code segments (useful in debugging ROM-based software). Only programs executing 
with the highest level of privileges may access these registers. See Chapter 12 for a 
complete description of their formats and use. The debug registers are shown in 
Figure 4-4. 



4.1.5 Test Registers 

The test registers are not a formal part of the Intel386 architecture. They are an 
implementation-dependent facility provided for testing the translation lookaside buffer 
(TLB). See Chapter 10 for a complete description of their formats and use. The test 
registers are shown in Figure 4-5. 
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Figure 4-4. Debug Registers 
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4.2 SYSTEM INSTRUCTIONS 



System instructions deal with functions such as: 



1. Verification of pointer parameters (see Chapter 6): 



Instruction 


Description 


Useful to 
Application? 


Protected from 
Application? 


ARPL 

LAR 

LSL 

VERR 

VERW 


Adjust RPL 
Load Access Rights 
Load Segment Limit 
Verify for Reading 
Verify for Writing 


No 
Yes 
Yes 
Yes 
Yes 


No 
No 
No 
No 
No 



2. Addressing descriptor tables (see Chapter 5): 



Instruction 


Description 


Useful to 
Application? 


Protected from 
Application? 


LLDT 
SLOT 
LGDT 
SGDT 


Load LDT Register 
Store LDT Register 
Load GDT Register 
Store GDT Register 


Yes 
Yes 
No 
No 


No 
No 
Yes 
No 



3. Multitasking (see Chapter 7): 



Instruction 


Description 


Useful to 
Application? 


Protected from 
Application? 


LTR 
STR 


Load Task Register 
Store Task Register 


No 
Yes 


Yes 
No 



4. Coprocessing and Multiprocessing (see Chapter 11): 



Instruction 


Description 


Useful to 
Application? 


Protected from 
Application? 


CLTS 
ESC 
WAIT 
LOCK 


Clear TS bit in CRO 

Escape Instructions 

Wait Until Coprocessor Not Busy 

Assert Bus-Lock 


No 
Yes 
Yes 
No 


Yes 

No 

No 

Can be 



5. Input and Output (see Chapter 8): 



Instruction 


Description 


Useful to 
Application? 


Protected from 
Application? 


IN 

OUT 
INS 
OUTS 


Input 
Output 
Input String 
Output String 


Yes 
Yes 
Yes 
Yes 


Can be 
Can be 
Can be 
Can be 
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6. Interrupt control (see Chapter 9): 



Instruction 


Description 


Useful to 
Application? 


Protected from 
Application? 


CLI 
STI 
LIDT 
SIDT 


Clear IF flag 
Store IF flag 
Load IDT Register 
Store IDT Register 


Can Be 
Can be 

No 

No 


Can be 
Can be 

Yes 

No 



7. Debugging (see Chapter 10): 



Instruction 


Description 


Useful to 
Application? 


Protected from 
Application? 


MOV 


LOAD and store debug registers 


No 


Yes 



System Control 








Instruction 


Description 


Useful to 
Application? 


Protected from 
Application? 


SMSW 
LMSW 
MOV 
HLT 


Store MSW 
Load MSW 
Load and Store CRO 
Halt Processor 


No 
No 
No 
No 


No 
Yes 
Yes 
Yes 



The SMSW and LMSW instructions are provided for compatibihty with the 80286 pro- 
cessor. A program for the 386 DX microprocessor should not use these instructions. A 
program should access the CRO register using forms of the MOV instruction. The 
LMSW instruction does not affect the PG bit, and it cannot be used to clear the PE bit. 

The HLT instruction stops the processor until an enabled interrupt or RESET# signal is 
received. (Note that the NMI interrupt is always enabled.) A special bus cycle is gener- 
ated by the processor to indicate halt mode has been entered. Hardware may respond to 
this signal in a number of ways. An indicator light on the front panel may be turned on. 
An NMI interrupt for recording diagnostic information may be generated. Reset initial- 
ization may be invoked. Software designers may need to be aware of the response of 
hardware to halt mode. 

In addition to the chapters mentioned above, detailed information about each of these 
instructions can be found in the instruction reference chapter, Chapter 17. 
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CHAPTER 5 
MEMORY MANAGEMENT 

Memory management is a hardware mechanism which lets operating systems create sim- 
phfied environments for running programs. For example, when several programs are 
running at the same time, they must each be given an independent address space. If they 
all had to share the same address space, each would have to perform difficult and time- 
consuming checks to avoid interfering with the others. 

Memory management consists of segmentation and paging. Segmentation is used to give 
each program several independent, protected address spaces. Paging is used to support 
an environment where large address spaces are simulated using a small amount of RAM 
and some disk storage. System designers may choose to use either or both of these 
mechanisms. When several programs are running at the same time, either mechanism 
can be used to protect programs against interference from other programs. 

Segmentation allows memory to be completely unstructured and simple, like the memory 
model of an 8-bit processor, or highly structured with address translation and protection. 
The memory management features apply to units called segments. Each segment is an 
independent, protected address space. Access to segments is controlled by data which 
describes its size, the privilege level required to access it, the kinds of memory references 
which can be made to it (instruction fetch, stack push or pop, read operation, write 
operation, etc.), and whether it is present in memory. 

Segmentation is used to control memory access, which is useful for catching bugs during 
program development and for increasing the reliability of the final product. It also is 
used to simplify the linkage of object code modules. There is no reason to write position- 
independent code when full use is made of the segmentation mechanism, because all 
memory references can be made relative to the base addresses of a module's code and 
data segments. Segmentation can be used to create ROM-based software modules, in 
which fixed addresses (fixed, in the sense that they cannot be changed) are offsets from 
a segment's base address. Different software systems can have the ROM modules at 
different physical addresses because the segmentation mechanism will direct all memory 
references to the right place. 

In a simple memory architecture, all addresses refer to the same address space. This is 
the memory model used by 8-bit microprocessors, such as the 8080 processor, where the 
logical address is the physical address. The 386™ DX microprocessor can be used in this 
way by mapping all segments into the same address space and keeping paging disabled. 
This might be done where an older design is being updated to 32-bit technology without 
also adopting the new architectural features. 

An application also could make partial use of segmentation. A frequent cause of soft- 
ware failures is the growth of the stack into the instruction code or data of a program. 
Segmentation can be used to prevent this. The stack can be put in an address space 
separate from the address space for either code or data. Stack addresses always would 
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refer to the memory in the stack segment, while data addresses always would refer to 
memory in the data segment. The stack segment would have a maximum size enforced by 
hardware. Any attempt to grow the stack beyond this size would generate an exception. 

A complex system of programs may make full use of segmentation. For example, a 
system in which programs share data in real time can have precise control of access to 
that data. Program bugs would appear as exceptions generated when a program makes 
improper access. This would be useful as an aid to debugging during program develop- 
ment, and it also may be used to trigger error-recovery procedures in systems delivered 
to the end-user. 



Segmentation hardware translates a segmented (logical) address into an address for a 
continuous, unsegmented address space, called a linear address. If paging is enabled, 
paging hardware translates a linear address into a physical address. If paging is not 
enabled, the linear address is used as the physical address. The physical address appears 
on the address bus coming out of the processor. 

Paging is a mechanism used to simulate a large, unsegmented address space using a 
small, fragmented address space and some disk storage. Paging provides access to data 
structures larger than the available memory space by keeping them partly in memory and 
partly on disk. 

Paging is applied to units of 4K bytes cMtd pages. When a program attempts to access a 
page which is on disk, the program is interrupted in a special way. Unlike other excep- 
tions and interrupts, an exception generated due to address translation restores the 
contents of the processor registers to values which allow the exception-generating in- 
struction to be re-executed. This special treatment is called instruction restart. It allows 
the operating system to read the page from disk, update the mapping of linear addresses 
to physical addresses for that page, and restart the program. This process is transparent 
to the program. 

If an operating system never sets bit 31 of the CRO register (the PG bit), the paging 
mechanism is not enabled. Linear addresses are used as physical addresses. This might 
be done where a design using a 16-bit processor is being updated to use a 32-bit proces- 
sor. An operating system written for a 16-bit processor does not use paging because the 
size of its address space is so small (64K bytes) that it is more efficient to swap entire 
segments between RAM and disk, rather than individual pages. 

Paging would be enabled for operating systems which can support demand-paged virtual 
memory, such as UNIX. Paging is transparent to application software, so an operating 
system intended to support application programs written for 16-bit processors may run 
those programs with paging enabled. Unlike paging, segmentation is not transparent to 
application programs. Programs which use segmentation must be run with the segments 
they were designed to use. 
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5.1 SELECTING A SEGMENTATION MODEL 



A model for the segmentation of memory is chosen on the basis of rehabihty and per- 
formance. For example, a system which has several programs sharing data in real-time 
would get maximum performance from a model which checks memory references in 
hardware. This would be a multi-segment model. 



At the other extreme, a system which has just one program may get higher performance 
from an unsegmented or "flat" model. The elimination of "far" pointers and segment- 
override prefixes reduces code size and increases execution speed. Context switching is 
faster, because the contents of the segment registers no longer have to be saved or 
restored. 



Some of the benefits of segmentation also can be provided by paging. For example, data 
can be shared by mapping the same page into the address space of each program. 



5.1.1 Flat Model 



The simplest model is the flat model. In this model, all segments are mapped to the 
entire physical address space. To the greatest extent possible, this model removes the 
segmentation mechanism from the architecture seen by either the system designer or the 
application programmer. This might be done for a programming environment like 
UNIX, which supports paging but does not support segmentation. 



A segment is defined by a segment descriptor. At least two segment descriptors must be 
created for a flat model, one for code references and one for data references. The 
segment selector for the stack segment may be mapped to the data-segment descriptor. 
Whenever memory is accessed, the contents of one of the segment registers are used to 
select a segment descriptor. The segment descriptor provides the base address of the 
segment and its limit, as well as access control information (see Figure 5-1). 



ROM usually is put at the top of the physical address space, because the processor 
begins execution at OFFFFFFFOH. RAM is placed at the bottom of the address space 
because the initial base address for the DS data segment after reset initialization is 0. 



For a flat model, each descriptor has a base address of and a segment limit of 4 
gigabytes. By setting the segment limit to 4 gigabytes, the segmentation mechanism is 
kept from generating exceptions for memory references which fall outside of a segment. 
Exceptions could still be generated by the paging or protection mechanisms, but these 
also can be removed from the memory model. 
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Figure 5-1. Flat Model 



5.1.2 Protected Flat Model 



The protected flat model is like the flat model, except the segment limits are set to 
include only the range of addresses for which memory actually exists. A general- 
protection exception will be generated on any attempt to access unimplemented mem- 
ory. This might be used for systems in which the paging mechanism is disabled, because 
it provides a minimum level of hardware protection against some kinds of program bugs. 



In this model, the segmentation hardware prevents programs from addressing non- 
existent memory locations. The consequences of being allowed access to these memory 
locations are hardware-dependent. For example, if the processor does not receive a 
READY# signal (the signal used to acknowledge and terminate a bus cycle), the bus 
cycle does not terminate and program execution stops. 



Although no program should make an attempt to access these memory locations, an 
attempt may occur as a result of program bugs. Without hardware checking of addresses, 
it is possible that a bug could suddenly stop program execution. With hardware checking, 
programs fail in a controlled way. A diagnostic message can appear, and recovery pro- 
cedures can be attempted. 



An example of a protected flat model is shown in Figure 5-2. Here, segment descriptors 
have been set up to cover only those ranges of memory which exist. A code and a data 
segment cover the EPROM and DRAM of physical memory. A second data segment has 
been created to cover EPROM. This allows EPROM to be referenced as data. This 
would be done, for example, to access constants stored with the instruction code in 
ROM. 
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Figure 5-2. Protected Flat Model 
5.1.3 Multi-Segment Model 



The most sophisticated model is the multi-segment model. Here, the full capabilities of 
the segmentation mechanism are used. Each program is given its own table of segment 
descriptors, and its own segments. The segments can be completely private to the pro- 
gram, or they can be shared with specific other programs. Access between programs and 
particular segments can be individually controlled. 

Up to six segments can be ready for immediate use. These are the segments which have 
segment selectors loaded in the segment registers. Other segments are accessed by load- 
ing their segment selectors into the segment registers (see Figure 5-3). 

Each segment is a separate address space. Even though they may be placed in adjacent 
blocks of physical memory, the segmentation mechanism prevents access to the contents 
of one segment by reading beyond the end of another. Every memory operation is 
checked against the limit specified for the segment it uses. An attempt to address mem- 
ory beyond the end of the segment generates a general-protection exception. 

The segmentation mechanism only enforces the address range specified in the segment 
descriptor. It is the responsibility of the operating system to allocate separate address 
ranges to each segment. There may be situations in which it is desirable to have seg- 
ments which share the same range of addresses. For example, a system may have both 
code and data stored in a ROM. A code segment descriptor would be used when the 
ROM is accessed for instruction fetches. A data segment descriptor would be used when 
the ROM is accessed as data. 
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Figure 5-3. Multi-Segment Model 
5.2 SEGMENT TRANSLATION 

A logical address consists of the 16-bit segment selector for its segment and a 32-bit 
offset into the segment. A logical address is translated into a Hnear address by adding 
the offset to the base address of the segment. The base address comes from the segment 
descriptor, a data structure in memory which provides the size and location of a segment, 
as well as access control information. The segment descriptor comes from one of two 
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tables, the global descriptor table (GDT) or the local descriptor table (LDT). There is 
one GDT for all programs in the system, and one LDT for each separate program being 
run. If the operating system allows, different programs can share the same LDT. The 
system also may be set up with no LDTs; all programs may use the GDT. 

Every logical address is associated with a segment (even if the system maps all segments 
into the same linear address space). Although a program may have thousands of seg- 
ments, only six may be available for immediate use. These are the six segments whose 
segment selectors are loaded in the processor. The segment selector holds information 
used to translate the logical address into the corresponding linear address. 

Separate segment registers exist in the processor for each kind of memory reference (code 
space, stack space, and data spaces). They hold the segment selectors for the segments 
currently in use. Access to other segments requires loading a segment register using a 
form of the MOV instruction. Up to four data spaces may be available at the same time, 
so there are a total of six segment registers. 

When a segment selector is loaded, the base address, segment limit, and access control 
information also are loaded into the segment register. The processor does not reference 
the descriptor tables again until another segment selector is loaded. The information 
saved in the processor allows it to translate addresses without making extra bus cycles. In 
systems in which multiple processors have access to the same descriptor tables, it is the 
responsibility of software to reload the segment registers when the descriptor tables arc 
modified. If this is not done, an old segment descriptor cached in a segment register 
might be used after its memory-resident version has been modified. 

The segment selector contains a 13-bit index into one of the descriptor tables. The index 
is scaled by eight (the number of bytes in a segment descriptor) and added to the 32-bit 
base address of the descriptor table. The base address comes from either the global 
descriptor table register (GDTR) or the local descriptor table register (LDTR). These 
registers hold the linear address of the beginning of the descriptor tables. A bit in the 
segment selector specifies which table to use, as shown in Figure 5-4. 

The translated address is the linear address, as shown in Figure 5-5. If paging is not 
used, it also is the physical address. If paging is used, a second level of address transla- 
tion produces the physical address. This translation is described in Section 5.3. 



5.2.1 Segment Registers 

Each kind of memory reference is associated with a segment register. Code, data, and 
stack references each access the segments specified by the contents of their segment 
registers. More segments can be made available by loading their segment selectors into 
these registers during program execution. 

Every segment register has a "visible" part and an "invisible" part, as shown in 
Figure 5-6. There are forms of the MOV instruction to access the visible part of these 
segment registers. The invisible part is maintained by the processor. 

5-7 



intel^ 



MEMORY MANAGEMENT 





SEGMENT 
SELECTOR 


GLOBAL 

DESCRIPTOR 

TABLE 






LOCAL 

DESCRIPTOR 

TABLE 








T 
1 




Tl - Tl - ■• 






1 




1 






1 




^ 


1 




















































































































































































































^«^ 






^ 


























SELECTOR 


LDTR 






1 LIMIT 


GDTR 




LIMIT 




1 BASE ADDRESS 


BASE ADDRESS 












2403311 



Figure 5-4. Tl Bit Selects Descriptor Table 
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Figure 5-6. Segment Translation 

The operations which load these registers are instructions for apphcation programs (de- 
scribed in Chapter 3). There are two kinds of these instructions: 

1. Direct load instructions such as the MOV, POP, LDS, LSS, LGS, and LFS instruc- 
tions. These instructions explicitly reference the segment registers. 

2. Implied load instructions such as the far pointer versions of the CALL and JMP 
instructions. These instructions change the contents of the CS register as an inciden- 
tal part of their function. 

When these instructions are used, the visible part of the segment register is loaded with 
a segment selector. The processor automatically fetches the base address, limit, type, and 
other information from the descriptor table and loads the invisible part of the segment 
register. 
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Because most instructions refer to segments whose selectors already have been loaded 
into segment registers, the processor can add the offset into the segment to the seg- 
ment's base address with no performance penalty. 

5.2.2 Segment Selectors 

A segment selector points to the information which defines a segment, called a segment 
descriptor. A program may have more segments than the six whose segment selectors 
occupy segment registers. When this is true, the program uses forms of the MOV in- 
struction to change the contents of these registers when it needs to access a new 
segment. 

A segment selector identifies a segment descriptor by specifying a descriptor table and a 
descriptor within that table. Segment selectors are visible to application programs as a 
part of a pointer variable, but the values of selectors are usually assigned or modified by 
link editors or linking loaders, not application programs. Figure 5-7 shows the format of 
a segment selector. 

Index: Selects one of 8192 descriptors in a descriptor table. The processor multiplies the 
index value by 8 (the number of bytes in a segment descriptor) and adds the result to the 
base address of the descriptor table (from the GDTR or LDTR register). 

Table-Indicator bit: Specifies the descriptor table to use. A clear bit selects the GDT; a 
set bit selects the current LDT. 

Requested Privilege Level: When this field contains a privilege level having a greater 
value (i.e., less privileged) than the program, it overrides the program's privilege level. 
When a program uses a segment selector obtained from a less privileged program, this 
makes the memory access take place with the privilege level of the less privileged pro- 
gram. This is used to guard against a security violation, in which a less privileged pro- 
gram uses a more privileged program to access protected data. 

For example, system utilities or device drivers must run with a high level of privilege in 
order to access protected facilities, such as the control registers of peripheral interfaces. 
But they must not interfere with other protected facilities, even if a request to do so is 
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received from a less privileged program. If a program requested reading a sector of disk 
into memory occupied by a more privileged program, such as the operating system, the 
RPL can be used to generate a general-protection exception when the segment selector 
obtained from the less privileged program is used. This exception occurs even though the 
program using the segment selector w^ould have a sufficient privilege level to perform the 
operation on its ov^n. 

Because the first entry of the GDT is not used by the processor, a selector which has an 
index of and a table indicator of (i.e., a selector which points to the first entry of the 
GDT) is used as a "null selector." The processor does not generate an exception when a 
segment register (other than the CS or SS registers) is loaded with a null selector. It 
does, however, generate an exception when a segment register holding a null selector is 
used to access memory. This feature can be used to initialize unused segment registers. 

5.2.3 Segment Descriptors 

A segment descriptor is a data structure in memory which provides the processor with 
the size and location of a segment, as well as control and status information. Descriptors 
typically are created by compilers, linkers, loaders, or the operating system, but not 
application programs. Figure 5-8 illustrates the two general descriptor formats. The sys- 
tem segment descriptor is described more fully in Chapter 6. All types of segment de- 
scriptors take one of these formats. 

Base: Defines the location of the segment within the 4 gigabyte physical address space. 
The processor puts together the three base address fields to form a single 32-bit value. 

Granularity bit: Turns on scaling of the Limit field by a factor of 4096 (2^^). When the 
bit is clear, the segment limit is interpreted in units of one byte; when set, the segment 
limit is interpreted in units of 4K bytes (one page). Note that the twelve least significant 
bits of the address are not tested when scaling is used. For example, a limit of with the 
Granularity bit set results in valid offsets from to 4095. Also note that only the Limit 
field is affected. The base address remains byte granular. 

Limit: Defines the size of the segment. The processor puts together the two limit fields 
to form a 20-bit value. The processor interprets the limit in one of two ways, depending 
on the setting of the Granularity bit: 

1. If the Granularity bit is clear, the Limit has a value from 1 byte to 1 megabyte, in 
increments of 1 byte. 

2. If the Granularity bit is set, the Limit has a value from 4 kilobytes to 4 gigabytes, in 
increments of 4K bytes. 

For most segments, a logical address may have an offset ranging from to the limit. 
Other offsets generate exceptions. Expand-down segments reverse the sense of the Limit 
field; they may be addressed with any offset except those from to the limit (see the 
Type field, below). This is done to allow segments to be created in which increasing the 
value held in the Limit field allocates new memory at the bottom of the segment's 
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Figure 5-8. Segment Descriptors 

address space, rather than at the top. Expand-down segments are intended to hold 
stacks, but it is not necessary to use them. If a stack is going to be put in a segment which 
does not need to change size, it can be a normal data segment. 

DT field: The descriptors for application segments have this bit set. This bit is clear for 
system segments and gates. 

Type: The interpretation of this field depends on whether the segment descriptor is for 
an application segment or a system segment. System segments have a slightly different 
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descriptor format, discussed in Chapter 6. The Type field of a memory descriptor spec- 
ifies the kind of access which may be made to a segment, and its direction of growth (see 
Table 5-1). 

For data segments, the three lowest bits of the type field can be interpreted as expand- 
down (E), write enable (W), and accessed (A). For code segments, the three lowest bits 
of the type field can be interpreted as conforming (C), read enable (R), and 
accessed (A). 

Data segments can be read-only or read/write. Stack segments are data segments which 
must be read/write. Loading the SS register with a segment selector for any other type of 
segment generates a general-protection exception. If the stack segment needs to be able 
to change size, it can be an expand-down data segment. The meaning of the segment 
limit is reversed for an expand-down segment. While an offset in the range from to the 
segment hmit is valid for other kinds of segments (outside this range a general- 
protection exception is generated), in an expand-down segment these offsets are the 
ones which generate exceptions. The valid offsets in an expand-down segment are those 
which generate exceptions in the other kinds of segments. Other segments must be 
addressed by offsets which are equal or less than the segment limit. Offsets into expand- 
down segments always must be greater than the segment limit. This interpretation of the 
segment limit causes memory space to be allocated at the bottom of the segment when 
the segment limit is increased, which is correct for stack segments because they grow 
toward lower addresses. If the stack is given a segment which does not change size, it 
does not need to be an expand-down segment. 

Code segments can be execute-only or execute/read. An execute/read segment might be 
used, for example, when constants have been placed with instruction code in a ROM. In 
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this case, the constants can be read either by using an instruction with a CS override 
prefix or by placing a segment selector for the code segment in a segment register for a 
data segment. 

Code segments can be either conforming or non-conforming. A transfer of execution 
into a more privileged conforming segment keeps the current privilege level. A transfer 
into a non-conforming segment at a different privilege level results in a general- 
protection exception, unless a task gate is used (see Chapter 6 for a discussion of multi- 
tasking). System utilities which do not access protected facilities, such as data-conversion 
functions (e.g., EBCDIC/ASCII translation, Huffman encoding/decoding, math library) 
and some types of exceptions (e.g., Divide Error, INTO-detected overflow, and BOUND 
range exceeded) may be loaded in conforming code segments. 

The Type field also reports whether the segment has been accessed. Segment descriptors 
initially report a segment as having been accessed. If the Type field then is set to a value 
for a segment which has not been accessed, the processor restores the value if the seg- 
ment is accessed. By clearing and testing the low bit of the Type field, software can 
monitor segment usage (the low bit of the Type field also is called the Accessed bit). 

For example, a program development system might clear all of the Accessed bits for the 
segments of an application. If the application crashes, the states of these bits can be used 
to generate a map of all the segments accessed by the application. Unlike the break- 
points provided by the debugging mechanism (Chapter 12), the usage information ap- 
^ plies to segments rather than physical addresses. 

Note that the processor updates the Type field when a segment is accessed, even if the 
access is a read cycle. If the descriptor tables have been put in ROM, it is necessary for 
the hardware designer to prevent the ROM from being enabled onto the data bus during 
a write cycle. It also is necessary to return the READY# signal to the processor when a 
write cycle to ROM occurs, otherwise the cycle does not terminate. 

DPL (Descriptor Privilege Level): Defines the privilege level of the segment. This is used 
to control access to the segment, using the protection mechanism described in Chapter 6. 

Segment-Present bit: If this bit is clear, the processor generates a segment-not-present 
exception when a selector for the descriptor is loaded into a segment register. This is 
used to detect access to segments which have become unavailable. A segment can be- 
come unavailable when the system needs to create free memory. Items in memory, such 
as character fonts or device drivers, which currently are not being used are de-allocated. 
An item is de-allocated by marking the segment "not present" (this is done by clearing 
the Segment-Present bit). The memory occupied by the segment then can be put to 
another use. The next time the de-allocated item is needed, the segment-not-present 
exception will indicate the segment needs to be loaded into memory. When this kind of 
memor}^ management is provided in a manner invisible to application programs, it is 
called virtual memory. A system may maintain a total amount of virtual memory far larger 
than physical memory by keeping only a few segments present in physical memory at any 
one time. 
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Figure 5-9 shows the format of a descriptor when the Segment-Present bit is clear. When 
this bit is clear, the operating system is free to use the locations marked Available to 
store its own data, such as information regarding the whereabouts of the missing 
segment. 



5.2.4 Segment Descriptor Tables 

A segment descriptor table is an array of segment descriptors. There are two kinds of 
descriptor tables: 

• The global descriptor table (GDT) 

• The local descriptor tables (LDT) 

There is one GDT for all tasks, and an LDT for each task being run. A descriptor table 
is an array of segment descriptors, as shown in Figure 5-10. A descriptor table is variable 
in length and may contain up to 8192 (2^^) descriptors. The first descriptor in the GDT 
is not used by the processor. A segment selector to this "null descriptor" does not 
generate an exception when loaded into a segment register, but it always generates an 
exception when an attempt is made to access mem.ory using the descriptor. By initializing 
the segment registers with this segment selector, accidental reference to unused segment 
registers can be guaranteed to generate an exception. 



5.2.5 Descriptor Table Base Registers 

The processor finds the global descriptor table (GDT) and interrupt descriptor table 
(IDT) using the GDTR and IDTR registers. These registers hold descriptors for tables 
in the physical address space. They also hold limit values for the size of these tables (see 
Figure 5-11). 

The limit value is expressed in bytes. As with segments, the limit value is added to the 
base address to get the address of the last valid byte. A limit value of results in exactly 
one valid byte. Because segment descriptors are always eight bytes, the limit should 
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Figure 5-9. Segment Descriptor (Segment Not Present) 
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Figure 5-10. Descriptor Tables 

always be one less than an integral multiple of eight (i.e., 8N - 1). The LGDT and 
SGDT instructions read and write the GDTR register; the LIDT and SIDT instructions 
read and write the IDTR register. 

A third descriptor table is the local descriptor table (LDT). It is found using a 16-bit 
segment selector held in the LDTR register. The LLDT and SLDT instructions read and 
write the segment selector in the LDTR register. The LDTR register also holds the base 
address and limit for the LDT, but these are loaded automatically by the processor from 
the segment descriptor for the LDT. 
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Figure 5-11. Descriptor Table Base Register 
5.3 PAGE TRANSLATION 



A linear address is a 32-bit address into a uniform, unsegmented address space. This 
address space may be a large physical address space (i.e., an address space composed of 
4 gigabytes of RAM), or paging may be used to simulate this address space using a small 
amount of RAM and some disk storage. When paging is used, a linear address is trans- 
lated into its corresponding physical address, or an exception is generated. The excep- 
tion gives the operating system a chance to read the page from disk (perhaps sending a 
different page out to disk in the process), then restart the program which generated the 
exception. 



Paging is different from segmentation through its use of small, fixed-size pages. Unlike 
segments, which usually are the same size as the data structures they hold, on the 386 
DX microprocessor, pages are always 4K bytes. If segmentation is the only form of 
address translation which is used, a data structure which is present in physical memory 
will have all of its parts in memory. If paging is used, a data structure may be partly in 
memory and partly in disk storage. 



The information which maps linear addresses into physical addresses and exceptions is 
held in data structures in memory, called page tables. As with segmentation, this infor- 
mation is cached in processor registers to minimize the number of bus cycles required 
for address translation. Unlike segmentation, these processor registers are completely 
invisible to application programs. (For testing purposes, these registers are visible to 
programs running with maximum privileges; see Chapter 10 for details.) 

The paging mechanism treats the 32-bit linear address as having three parts, two 10-bit 
indexes into the page tables and a 12-bit offset into the page addressed by the page 
tables. Because both the virtual pages in the linear address space and the physical pages 
of memory are aligned to 4K-byte page boundaries, there is no need to modify the low 12 
bits of the address. These 12 bits pass straight through the paging hardware, whether 
paging is enabled or not. Note that this is different from segmentation, because segments 
can start at any byte address. 
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The upper 20 bits of the address are used to index into the page tables. If every page in 
the Hnear address space were mapped by a single page table in RAM, 4 megabytes 
would be needed. This is not done. Instead, two levels of page tables are used. The top 
level page table is called tht page directory. It maps the upper 10 bits of the linear 
address to the second level of page tables. The second level of page tables maps the 
middle 10 bits of the linear address to the base address of a page in physical memory 
(called a page frame address), or to an exception. 

An exception also may be generated by an entry in the page directory. This gives the 
operating system a chance to bring in a page table from disk storage. By allowing the 
second-level page tables to be sent to disk, the paging mechanism can support mapping 
of the entire linear address space using only a few pages in memory. 

The CR3 register holds the page frame address of the page directory. For this reason, it 
also is called the page directory base register or PDBR. The upper 10 bits of the linear 
address are scaled by four (the number of bytes in a page table entry) and added to the 
value in the PDBR register to get the physical address of an entry in the page directory. 
Because the page frame address is always clear in its lowest 12 bits, this addition is 
performed by concatenation (replacement of the low 12 bits with the scaled index). 

When the entry in the page directory is accessed, a number of checks are performed. 
Exceptions may be generated if the page is protected or is not present in memory. If no 
exception is generated, the upper 20 bits of the page table entry are used as the page- 
frame address of a second-level page table. The middle 10 bits of the linear address are 
scaled by four (again, the size of a page table entry) and concatenated with the page 
frame address to get the physical address of an entry in the second-level page table. 

Again, access checks are performed, and exceptions may be generated. If no exception 
occurs, the upper 20 bits of the second-level page table entry are concatenated with the 
lowest 12 bits of the linear address to form the physical address of the operand (data) in 
memory. 

Although this process may seem complex, it all takes place with very little overhead. The 
processor has a cache for page table entries called the translation lookaside buffer 
(TLB). The TLB satisfies most requests for reading the page tables. Extra bus cycles 
occur only when a new page is accessed. The page size (4K bytes) is large enough so that 
very few bus cycles are made to the page tables, compared to the number of bus cycles 
made to instructions and data. At the same time, the page size is small enough to make 
efficient use of memory. (No matter how small a data structure is, it occupies at least 
one page of memory; page sizes larger than 4K bytes waste memory.) 



5.3.1 PG Bit Enables Paging 

If paging is enabled, a second stage of address translation is used to generate the phys- 
ical address from the linear address. If paging is not enabled, the linear address is used 
as the physical address. 
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Paging is enabled when bit 31 (the PG bit) of the CRO register is set. This bit usually is 
set by the operating system during software initialization. The PG bit must be set if the 
operating system is running more than one program in virtual-8086 mode or if demand- 
paged virtual memory is used. 



5.3.2 Linear Address 

A linear address is mapped to a physical address by specifying a page table, a page 
within that table, and an offset within that page. Figure 5-12 shows the format of a linear 
address. 

Figure 5-13 shows how the processor translates the DIR, PAGE, and OFFSET fields of 
a linear address into the physical address using two levels of page tables. The addressing 
mechanism uses the DIR field as an index into a page directory, uses the PAGE field as 
an index into the page table determined by the page directory, and uses the OFFSET 
field to address an operand within the page specified by the page table. 



5.3.3 Page Tables 

A page table is an array of 32-bit entries. A page table is itself a page, and contains 4096 
bytes of memory or, at most, IK 32-bit entries. 

Two levels of tables are used to address a page of memory. The top level is called the 
page directory. It addresses up to IK page tables in the second level. A page table in the 
second level addresses up to IK pages in physical memory. All the tables addressed by 
one page directory, therefore, can address IM or 2^^ pages. Because each page contains 
4K or 2^^ bytes, the tables of one page directory can span the entire linear address space 
of the 386 DX microprocessor (2^° x 2^^ = 2^^). 

The physical address of the current page directory is stored in the CR3 register, also 
called the page directory base register (PDBR). Memory management software has the 
option of using one page directory for all tasks, one page directory for each task, or some 
combination of the two. See Chapter 10 for information on initialization of the CR3 
register. See Chapter 7 for how the contents of the CR3 register can change for each 
task. 
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Figure 5-14. Format of a Page Table Entry 
5.3.4 Page-Table Entries 

Entries in either level of page tables have the same format. Figure 5-14 illustrates this 
format. 

5.3.4.1 PAGE FRAME ADDRESS 

The page frame address is the base address of a page. Because pages are located on 
4K-byte boundaries, the lowest 12 bits of the page frame address are always clear. In a 
page table entry, the upper 20 bits are used to specify a page frame address, and the 
lowest 12 bits specify control and status bits for the page. In a page directory, the page 
frame address is the address of a page table. In a second-level page table, the page frame 
address is the address of a page containing instructions or data. 
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5.3.4.2 PRESENT BIT 

The Present bit indicates whether the page frame address in a page table entry maps to 
a page in physical memory. When set, the page is in memory. 

When the Present bit is clear, the page is not in memory, and the rest of the page table 
entry is available for the operating system, for example, to store information regarding 
the whereabouts of the missing page. Figure 5-15 illustrates the format of a page table 
entry when the Present bit is clear. 

If the Present bit is clear in either level of page tables when an attempt is made to use a 
page table entry for address translation, a page-fault exception is generated. In systems 
which support demand-paged virtual memory, the following sequence of events then 
occurs: 

1. The operating system copies the page from disk storage into physical memory. 

2. The operating system loads the page frame address into the page table entry and 
sets its Present bit. Other bits, such as the RAV bit, may be set, too. 

3. Because a copy of the old page table entry may still exist in the translation lookaside 
buffer (TLB), the operating system empties it. See Section 5.3.5 for a discussion of 
the TLB and how to empty it. 

4. The program which caused the exception is then restarted. 

Note that there is no Present bit for the page directory. Although the page directory may 
be in disk storage while the tasks which use it are suspended, it must be brought into 
memory before any of these tasks may be run. 

5.3.4.3 ACCESSED AND DIRTY BITS 

These bits provide data about page usage in both levels of page tables. The Accessed bit 
is used to report read or write access to a page or second-level page table. The Dirty bit 
is used to report write access to a page. 

With the exception of the Dirty bit in a page directory entry, these bits are set by the 
hardware; however, the processor does not clear either of these bits. The processor sets 
the Accessed bits in both levels of page tables before a read or write operation to a page. 
The processor sets the Dirty bit in the second-level page table before a write operation 
to an address mapped by that page table entry. The Dirty bit in directory entries is 
undefined. 
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Figure 5-15. Format of a Page Table Entry for a Not-Present Page 
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The operating system may use the Accessed bit when it needs to create some free mem- 
ory by sending a page or second-level page table to disk storage. By periodically clearing 
the Accessed bits in the page tables, it can see which pages have been used recently. 
Pages which have not been used are candidates for sending out to disk. 

The operating system may use the Dirty bit when a page is sent back to disk. By clearing 
the Dirty bit when the page is brought into memory, the operating system can see if it 
has received any write access. If there is a copy of the page on disk, and the copy in 
memory has not received any writes, there is no need to update disk from memory. 

See Chapter 11 for how the 386 DX microprocessor updates the Accessed and Dirty bits 
in multiprocessor systems. 

5.3.4.4 READ/WRITE AND USER/SUPERVISOR BITS 

The ReadAVrite and User/Supervisor bits are used for protection checks applied to 
pages, which the processor performs at the same time as address translation. See Chap- 
ter 6 for more information. 



5.3.5 Translation Lookaside Buffer 

The processor stores the most recently used page table entries in an on-chip cache, 
called the translation lookaside buffer or TLB. Most paging is performed using the 
contents of the TLB. Bus cycles to the page tables are performed only when a new page 
is used. The 386 DX microprocessor uses a random replacement algorithm for replacing 
pages in the TLB. 

The TLB is invisible to application programs, but not to operating systems. Operating- 
system programmers must flush the TLB (dispose of its page table entries) when entries 
in the page tables are changed. If this is not done, old data which has not received the 
changes might get used for address translation. A change to an entry for a page which is 
not present in memory does not require flushing the TLB, because entries for not- 
present pages are not cached. 

The TLB is flushed when the CR3 register is loaded. The CR3 register can be loaded in 
either of two ways: 

1. Explicit loading using MOV instructions, such as: 

nav CR3, EAX 
nOV EAX, CR3 

2. Implicit loading by a task switch which changes the contents of the CR3 register. 
(See Chapter 7 for more information on task switching.) Note that if the contents of 
the CR3 register do not change during a task switch, the TLB is not flushed. 
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5.4 COMBINING SEGMENT AND PAGE TRANSLATION 



Figure 5-16 combines Figure 5-2 and Figure 5-9 to summarize both stages of translation 
from a logical address to a physical address when paging is enabled. Options available in 
both stages of address translation can be used to support several different styles of 
memory management. 



5.4.1 Flat Model 



When the 386 DX microprocessor is used to run software written without segments, it 
may be desirable to remove the segmentation features of the 386 DX microprocessor. 
The 386 DX microprocessor does not have a mode bit for disabling segmentation, but 
the same effect can be achieved by mapping the stack, code, and data spaces to the same 
range of linear addresses. The 32-bit offsets used by 386 DX microprocessor instructions 
can cover the entire linear address space. 
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Figure 5-16. Combined Segment and Page Address Translation 
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When paging is used, the segments can be mapped to the entire Hnear address space. If 
more than one program is being run at the same time, the paging mechanism can be 
used to give each program a separate address space. 



5.4.2 Segments Spanning Several Pages 

The Intel386™ architecture allows segments which are larger the size of a page 
(4K bytes). For example, a large data structure may span thousands of pages. If paging 
were not used, access to any part of the data structure would require the entire data 
structure to be present in physical memory. With paging, only the page containing the 
part being accessed needs to be in memory. 



5.4.3 Pages Spanning Several Segments 

Segments also may be smaller than the size of a page. If one of these segments is placed 
in a page which is not shared with another segment, the extra memory is wasted. For 
example, a small data structure, such as a 1-byte semaphore, occupies 4K bytes if it is 
placed in a page by itself. If many semaphores are used, it is more efficient to pack them 
into a single page. 



5.4.4 Non-Aligned Page and Segment Boundaries 

The Intel386 architecture does not enforce any correspondence between the boundaries 
of pages and segments. A page may contain the end of one segment and the beginning of 
another. Likewise, a segment may contain the end of one page and the beginning of 
another. 



5.4.5 Aligned Page and Segment Boundaries 

Memory-management software may be simpler and more efficient if it enforces some 
alignment between page and segment boundaries. For example, if a segment which may 
fit in one page is placed in two pages, there may be twice as much paging overhead to 
support access to that segment. 



5.4.6 Page-Table Per Segment 

An approach to combining paging and segmentation which simplifies memory- 
management software is to give each segment its own page table, as shown in 
Figure 5-17. This gives the segment a single entry in the page directory which provides 
the access control information for paging the segment. 
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CHAPTER 6 
PROTECTION 

Protection is necessary for reliable multitasking. Protection can be used to prevent tasks 
from interfering with each other. For example, protection can keep one task from over- 
writing the instructions or data of another task. 

During program development, the protection mechanism can give a clearer picture of 
program bugs. When a program makes an unexpected reference to the wrong memory 
space, the protection mechanism can block the event and report its occurrence. 

In end-user systems, the protection mechanism can guard against the possibility of soft- 
ware failures caused by undetected program bugs. If a program fails, its effects can be 
confined to a limited domain. The operating system can be protected against damage, so 
diagnostic information can be recorded and automatic recovery may be attempted. 

Protection may be applied to segments and pages. Two bits in a processor register define 
the privilege level of the program currently running (called the current privilege level or 
CPL). The CPL is checked during address translation for segmentation and paging. 

Although there is no control register or mode bit for turning off the protection mecha- 
nism, the same effect can be achieved by assigning privilege level (the highest level of 
privilege) to all segment selectors, segment descriptors, and page table entries. 



6.1 SEGMENT-LEVEL PROTECTION 

Protection provides the ability to limit the amount of interference a malfunctioning pro- 
gram can inflict on other programs and their data. Protection is a valuable aid in soft- 
ware development because it allows software tools (operating system, debugger, etc.) to 
survive in memory undamaged. When an application program fails, the software is avail- 
able to report diagnostic messages, and the debugger is available for post-mortem anal- 
ysis of memory and registers. In production, protection can make software more reliable 
by giving the system an opportunity to initiate recovery procedures. 

Each memory reference is checked to verify that it satisfies the protection checks. All 
checks are made before the memory cycle is started; any violation prevents the cycle 
from starting and results in an exception. Because checks are performed in parallel with 
address translation, there is no performance penalty. There are five protection checks: 

1. Type check 

2. Limit check 

3. Restriction of addressable domain 

4. Restriction of procedure entry points 

5. Restriction of instruction set 
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A protection violation results in an exception/See Chapter 9 for an explanation of the 
exception mechanism. This chapter describes the protection violations which lead to 
exceptions. 



6.2 SEGMENT DESCRIPTORS AND PROTECTION 

Figure 6-1 shows the fields of a segment descriptor which are used by the protection 
mechanism. Individual bits in the Type field also are referred to by the names of their 
functions. 

Protection parameters are placed in the descriptor when it is created. In general, appli- 
cation programmers do not need to be concerned about protection parameters. 

When a program loads a segment selector into a segment register, the processor loads 
both the base address of the segment and the protection information. The invisible part 
of each segment register has storage for the base, limit, type, and privilege level. While 
this information is resident in the segment register, subsequent protection checks on the 
same segment can be performed with no performance penalty. 



6.2.1 Type Checking 

In addition to the descriptors for application code and data segments, the 386™ DX 
microprocessor has descriptors for system segments and gates. These are data structures 
used for managing tasks (Chapter 7) and exceptions and interrupts (Chapter 9). 
Table 6-1 Hsts all the types defined for system segments and gates. Note that not all 
descriptors define segments; gate descriptors hold pointers to procedure entry points. 

Table 6-1 . System Segment and Gate Types 



Type 


Description 





reserved 


1 


Available 80286 TSS 


2 


LDT 


3 


Busy 80286 TSS 


4 


Call Gate 


5 


Task Gate 


6 


80286 Interrupt Gate 


7 


80286 Trap Gate 


8 


reserved 


9 


Available 386™ DX TSS 


10 


reserved 


11 


Busy 386 DX TSS 


12 


386 DX Gall Gate 


13 


reserved 


14 


386 DX Interrupt Gate 


15 


386 DX Task Gate 



6-2 



Intel' 



PROTECTION 



DATA SEGMENT DESCRIPTOR 




2 1111111111 






31 09876543210987 


+ 4 




BASE 31:24 














LIMIT 
19:16 





D 
P 


1 





E 


w 


A 


BASE 23:16 
















L 














+ 


SEGMENT BASE 15.00 


SEGMENT LIMIT 15.00 


CODE SEGMENT DESCRIPTOR 




2 1111111111 






31 09876543210987 


+ 4 




BASE 31 :24 














LIMIT 
19-16 





D 
P 


1 


1 


C 


R 


A 


BASE 23:16 


















L 














+ 


SEGMENT BASE 15:00 


SEGMENT LIMIT 15:00 


SYSTEM SEGMENT DESCRIPTOR 




2 1111111111 






31 09876543210987 ( 


) 
+ 4 




BASE 31:24 














LIMIT 
19:16 





D 
P 





TYPE 


BASE 23:16 


















L 








+ 


SEGMENT BASE 15:00 


SEGMENT LIMIT 15:00 


A ACCESSED 

C CONFORMING 

DPL DESCRIPTOR PRIVILEGE LEVEL 

E EXPAND-DOWN 

R READABLE 

LIMIT SEGMENT LIMIT 

W WRITABLE 






2403311 



Figure 6-1 . Descriptor Fields Used for Protection 
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The Type fields of code and data segment descriptors include bits which further define 
the purpose of the segment (see Figure 6-1): 

• The Writable bit in a data-segment descriptor controls whether programs can write to 
the segment. 

• The Readable bit in an executable-segment descriptor specifies whether programs 
can read from the segment (e.g., to access constants stored in the code space). A 
readable, executable segment may be read in two ways: 

1. With the CS register, by using a CS override prefix. 

2. By loading a selector for the descriptor into a data-segment register (the DS, ES, 
FS, or GS registers). 

Type checking can be used to detect programming errors which would attempt to use 
segments in ways not intended by the programmer. The processor examines type infor- 
mation on two kinds of occasions: 

1. When a selector for a descriptor is loaded into a segment register. Certain segment 
registers can contain only certain descriptor types; for example: 

• The CS register only can be loaded with a selector for an executable segment. 

• Selectors of executable segments which are not readable cannot be loaded into 
data-segment registers. 

• Only selectors of writable data segments can be loaded into the SS register. 

2. Certain segments can be used by instructions only in certain predefined ways; for 
example: 

• No instruction may write into an executable segment. 

• No instruction may write into a data segment if the writable bit is not set. 

9 No instruction may read an executable segment unless the readable bit is set. 



6.2.2 Limit Checking 

The Limit field of a segment descriptor prevents programs from addressing outside the 
segment. The effective value of the limit depends on the setting of the G bit (Granularity 
bit). For data segments, the limit also depends on the E bit (Expansion-Direction bit). 
The E bit is a designation for one bit of the Type field, when referring to data segment 
descriptors. 

When the G bit is clear, the limit is the value of the 20-bit Limit field in the descriptor. 
In this case, the limit ranges from to OFFFFFH (2^^ - 1 or 1 megabyte). When the G 
bit is set, the processor scales the value in the Limit field by a factor of 2^^. In this case 
the limit ranges from OFFFH (2^^ - 1 or 4K bytes) to OFFFFFFFFH (2^^ - 1 or 4 
gigabytes). Note that when scaling is used, the lower twelve bits of the address are not 
checked against the limit; when the G bit is set and the segment limit is 0, valid offsets 
within the segment are through 4095. 
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For all types of segments except expand-down data segments (stack segments), the value 
of the limit is one less than the size, in bytes, of the segment. The processor causes a 
general-protection exception in any of these cases: 

• Attempt to access a memory byte at an address > limit 

• Attempt to access a memory word at an address > (limit - 1) 

• Attempt to access a memory doubleword at an address > (limit - 3) 

For expand-down data segments, the limit has the same function but is interpreted 
differently. In these cases the range of valid offsets is from (limit + 1) to 2^^ -1. An 
expand-down segment has maximum size when the segment limit is 0. 

Limit checking catches programming errors such as runaway subscripts and invalid 
pointer calculations. These errors are detected when they occur, so identification of the 
cause is easier. Without limit checking, these errors could overwrite critical memory in 
another module, and the existence of these errors would not be discovered until the 
damaged module crashed, an event which may occur long after the actual error. Protec- 
tion can block these errors and report their source. 

In addition to limit checking on segments, there is limit checking on the descriptor 
tables. The GDTR and LDTR registers contain a 16-bit limit value. It is used by the 
processor to prevent programs from selecting a segment descriptor outside the descrip- 
tor table. The limit of a descriptor table identifies the last valid byte of the table. Be- 
cause each descriptor is eight bytes long, a table which contains up to N descriptors 
should have a limit of 8N - 1. 

A descriptor may be given a zero value. This refers to the first descriptor in the GDT, 
which is not used. Although this descriptor may be loaded into a segment register, any 
attempt to reference memory using this descriptor will generate a general-protection 
exception. 



6.2.3 Privilege Levels 

The protection mechanism recognizes four privilege levels, numbered from to 3. The 
greater numbers mean lesser privileges. If all other protection checks are satisfied, a 
general-protection exception is generated if a program attempts to access a segment 
using a less privileged level (greater privilege number) than that applied to the segment. 

Although no control register or mode bit is provided for turning off the protection 
mechanism, the same effect can be achieved by assigning all privilege levels the value of 
0. (The PE bit in the CRO register is not an enabling bit for the protection mechanism 
alone; it is used to enable "protected mode," the mode of program execution in which 
the full 32-bit architecture is available. When protected mode is disabled, the processor 
operates in "real-address mode," where it appears as a fast, enhanced 8086 processor.) 
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Privilege levels can be used to improve the reliability of operating systems. By giving the 
operating system the highest privilege level, it is protected from damage by bugs in other 
programs. If a program crashes, the operating system has a chance to generate a diag- 
nostic message and attempt recovery procedures. 

Another level of privilege can be established for other parts of the system software, such 
as the programs which handle peripheral devices, called device drivers. If a device driver 
crashes, the operating system should be able to report a diagnostic message, so it makes 
sense to protect the operating system against bugs in device drivers. A device driver, 
however, may service an important peripheral such as a disk drive. If the application 
program crashed, the device driver should not corrupt the directory structure of the disk, 
so it makes sense to protect device drivers against bugs in applications. Device drivers 
should be given an intermediate privilege level between the operating system and the 
application programs. Application programs are given the lowest privilege level. 

Figure 6-2 shows how these levels of privilege can be interpreted as rings of protection. 
The center is for the segments containing the most critical software, usually the kernel of 
an operating system. Outer rings are for less critical software. 



PROTECTION RINGS 



OPERATING SYSTEM KERNEL 



OPmATING SYSTB/I 
SERVICES (DEVICE 
DRIVERS, ETC.) 



APPLICATIONS 




Figure 6-2. Protection Flags 
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The following data structures contain privilege levels: 

• The lowest two bits of the CS segment register hold the current privilege level (CPL). 
This is the privilege level of the program being run. The lowest two bits of the SS 
register also hold a copy of the CPL. Normally, the CPL is equal to the privilege level 
of the code segment from which instructions are being fetched. The CPL changes 
when control is transferred to a code segment with a different privilege level. 

o Segment descriptors contain a field called the descriptor privilege level (DPL), The 
DPL is the privilege level applied to a segment. 

® Segment selectors contain a field called the requested privilege level (RPL). The RPL is 
intended to represent the privilege level of the procedure which created the selector. 
If the RPL is a less privileged level than the CPL, it overrides the CPL. When a more 
privileged program receives a segment selector from a less privileged program, the 
RPL causes the memory access take place at the less privileged level. 

Privilege levels are checked when the selector of a descriptor is loaded into a segment 
register. The checks used for data access differ from those used for transfers of execu- 
tion among executable segments; therefore, the two types of access are considered sep- 
arately in the following sections. 

6.3 RESTRICTING ACCESS TO DATA 

To address operands in memory, a segment selector for a data segment must be loaded 
into a data-segment register (the DS, ES, FS, GS, or SS registers). The processor checks 
the segment's privilege levels. The check is performed when the segment selector is 
loaded. As Figure 6-3 shows, three different privilege levels enter into this type of priv- 
ilege check. 

The three privilege levels which are checked are: 

L The CPL (current privilege level) of the program. This is held in the two least- 
significant bit positions of the CS register. 

2. The DPL (descriptor privilege level) of the segment descriptor of the segment con- 
taining the operand. 

3. The RPL (requestor's privilege level) of the selector used to specify the segment 
containing the operand. This is held in the two lowest bit positions of the segment 
register used to access the operand (the SS, DS, ES, FS, or GS registers). If the 
operand is in the stack segment, the RPL is the same as the CPL. 

Instructions may load a segment register only if the DPL of the segment is the same or a 
less privileged level (greater privilege number) than the less privileged of the CPL and 
the selector's RPL. 

The addressable domain of a task varies as its CPL changes. When the CPL is 0, data 
segments at all privilege levels are accessible; when the CPL is 1, only data segments at 
privilege levels 1 through 3 are accessible; when the CPL is 3, only data segments at 
privilege level 3 are accessible. 
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Figure 6-3. Privilege Check for Data Access 
6.3.1 Accessing Data in Code Segments 



It may be desirable to store data in a code segment, for example, when both code and 
data are provided in ROM. Code segments may legitimately hold constants; it is not 
possible to write to a segment defined as a code segment, unless a data segment is 
mapped to the same address space. The following methods of accessing data in code 
segments are possible: 

1. Load a data-segment register with a segment selector for a nonconforming, read- 
able, executable segment. 
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2. Load a data-segment register with a segment selector for a conforming, readable, 
executable segment. 

3. Use a code-segment override prefix to read a readable, executable segment whose 
selector already is loaded in the CS register. 

The same rules for access to data segments apply to case 1. Case 2 is always valid 
because the privilege level of a code segment with a set Conforming bit is effectively the 
same as the CPL, regardless of its DPL. Case 3 is always valid because the DPL of the 
code segment selected by the CS register is the CPL. 



6.4 RESTRICTING CONTROL TRANSFERS 

With the 386 DX microprocessor, control transfers are provided by the JMP, CALL, 
RET, INT, and IRET instructions, as well as by the exception and interrupt mecha- 
nisms. Exceptions and interrupts are special cases discussed in Chapter 9. This chapter 
discusses only the JMP, CALL, and RET instructions. 

The "near" forms of the JMP, CALL, and RET instructions transfer program control 
within the current code segment, and therefore are subject only to limit checking. The 
processor checks that the destination of the JMP, CALL, or RET instruction does not 
exceed the limit of the current code segment. This limit is cached in the CS register, so 
protection checks for near transfers require no performance penalty. 

The operands of the "far" forms of the JMP and CALL instruction refer to other seg- 
ments, so the processor performs privilege checking. There are two ways a JMP or 
CALL instruction can refer to another segment: 

1. The operand selects the descriptor of another executable segment. 

2. The operand selects a call gate descriptor. This gated form of transfer is discussed in 
Chapter 7. 

As Figure 6-4 shows, two different privilege levels enter into a privilege check for a 
control transfer which does not use a call gate: 

1. The CPL (current privilege level). 

2. The DPL of the descriptor of the destination code segment. 

Normally the CPL is equal to the DPL of the segment which the processor is currently 
executing. The CPL may, however, be greater (less privileged) than the DPL if the 
current code segment is a conforming segment (as indicated by the Type field of its 
segment descriptor). A conforming segment runs at the privilege level of the calling 
procedure. The processor keeps a record of the CPL cached in the CS register; this value 
can be different from the DPL in the segment descriptor of the current code segment. 
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Figure 6-4. Privilege Check for Control Transfer without Gate 

The processor only permits a JMP or CALL instruction directly into another segment if 
one of the following privilege rules is satisfied: 

• The DPL of the segment is equal to the current CPL. 

• The segment is a conforming code segment, and its DPL is less (more privileged) than 
the current CPL. 

Conforming segments are used for programs, such as math libraries and some kinds of 
exception handlers, which support applications but do not require access to protected 
system facilities. When control is transferred to a conforming segment, the CPL does not 
change, even if the selector used to address the segment has a different RPL. This is the 
only condition in which the CPL may be different from the DPL of the current code 
segment. 

Most code segments are not conforming. For these segments, control can be transferred 
without a gate only to other code segments at the same level of privilege. It is sometimes 
necessary, however, to transfer control to higher privilege levels. This is accomplished 
with the CALL instruction using call-gate descriptors, which is explained in Chapter 7. 
The JMP instruction may never transfer control to a nonconforming segment whose 
DPL does not equal the CPL. 
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6.5 GATE DESCRIPTORS 

To provide protection for control transfers among executable segments at different priv- 
ilege levels, the 386 DX microprocessor usesg^^^ descriptors. There are four kinds of gate 
descriptors: 

« Call gates 

o Trap gates 

• Interrupt gates 

• Task gates 

Task gates are used for task switching and are discussed in Chapter 7. Chapter 9 explains 
how trap gates and interrupt gates are used by exceptions and interrupts. This chapter is 
concerned only with call gates. Call gates are a form of protected control transfer. They 
are used for control transfers between different privilege levels. They only need to be 
used in systems in which more than one privilege level is used. Figure 6-5 illustrates the 
format of a call gate. 

A call gate has two main functions: 

1. To define an entry point of a procedure. 

2. To specify the privilege level required to enter a procedure. 

Call gate descriptors are used by CALL and JUMP instructions in the same manner as 
code segment descriptors. When the hardware recognizes that the segment selector for 
the destination refers to a gate descriptor, the operation of the instruction is determined 
by the contents of the call gate. A call gate descriptor may reside in the GDT or in an 
LDT, but not in the interrupt descriptor table (IDT). 
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The selector and offset fields of a gate form a pointer to the entry point of a procedure. 
A call gate guarantees that all control transfers to other segments go to a valid entry 
point, rather than to the middle of a procedure (or worse, to the middle of an instruc- 
tion). The operand of the control transfer instruction is not the segment selector and 
offset within the segment to the procedure's entry point. Instead, the segment selector 
points to a gate descriptor, and the offset is not used. Figure 6-6 shows this form of 
addressing. 
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Figure 6-6. Call Gate Mechanism 
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As shown in Figure 6-7, four different privilege levels are used to check the validity of a 
control transfer through a call gate. 
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Figure 6-7. Privilege Check for Control Transfer with Call Gate 
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The privilege levels checked during a transfer of execution through a call gate are: 

1. The CPL (current privilege level). 

2. The RPL (requestor's privilege level) of the segment selector used to specify the call 
gate. 

3. The DPL (descriptor privilege level) of the gate descriptor. 

4. The DPL of the segment descriptor of the destination code segment. 

The DPL field of the gate descriptor determines from which privilege levels the gate may 
be used. One code segment can have several procedures which are intended for use from 
different privilege levels. For example, an operating system may have some services 
which are intended to be used by both the operating system and application software, 
such as routines to handle character I/O, while other services may be intended only for 
use by operating system, such as routines which initialize device drivers. 

Gates can be used for control transfers to more privileged levels or to the same privilege 
level (though they are not necessary for transfers to the same level). Only CALL instruc- 
tions can use gates to transfer to less privileged levels. A JMP instruction may use a gate 
only to transfer control to a code segment with the same privilege level, or to a conform- 
ing code segment with the same or a more privileged level. 

For a JMP instruction to a nonconforming segment, both of the following privilege rules 
must be satisfied; otherwise, a general-protection exception is generated. 

MAX (CPL,RPL) < gate DPL 
destination code segment DPL = CPL 

For a CALL instruction (or for a JMP instruction to a conforming segment), both of the 
following privilege rules must be satisfied; otherwise, a general-protection exception is 
generated. 

MAX (CPL,RPL) < gate DPL 
destination code segment DPL < CPL 

6.5.1 Stack Switching 

A procedure call to a more privileged level does the following: 

L Changes the CPL. 

2. Transfers control (execution). 

3. Switches stacks. 

All inner protection rings (privilege levels 0, 1, and 2), have their own stacks for receiv- 
ing calls from less privileged levels. If the caller were to provide the stack, and the stack 
was too small, the called procedure might crash as a result of insufficient stack space. 
Instead, less privileged programs are prevented from crashing more privileged programs 
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by creating a new stack when a call is made to a more privileged level. The new stack is 
created, parameters are copied from the old stack, the contents of registers are saved, 
and execution proceeds normally. When the procedure returns, the contents of the saved 
registers restore the original stack. A complete description of the task switching mecha- 
nism is provided in Chapter 7. 

The processor finds the space to create new stacks using the task state segment (TSS), as 
shown in Figure 6-8. Each task has its own TSS. The TSS contains initial stack pointers 
for the inner protection rings. The operating system is responsible for creating each TSS 
and initializing its stack pointers. An initial stack pointer consists of a segment selector 
and an initial value for the ESP register (an initial offset into the segment). The initial 
stack pointers are strictly read-only values. The processor does not change them while 
the task runs. These stack pointers are used only to create new stacks when calls are 
made to more privileged levels. These stacks disappear when the called procedure re- 
turns. The next time the procedure is called, a new stack is created using the initial stack 
pointer. 

When a call gate is used to change privilege levels, a new stack is created by loading an 
address from the TSS. The processor uses the DPL of the destination code segment (the 
new CPL) to select the initial stack pointer for privilege level 0, 1, or 2. 
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6-15 



intel' 



PROTECTION 



The DPL of the new stack segment must equal the new CPL; if not, a stack-fault excep- 
tion is generated. It is the responsibility of the operating system to create stacks and 
stack-segment descriptors for all privilege levels which are used. The stacks must be 
read/write as specified in the Type field of their segment descriptors. They must contain 
enough space, as specified in the Limit field, to hold the contents of the SS and ESP 
registers, the return address, and the parameters and temporary variables required by 
the called procedure. 

As with calls within a privilege level, parameters for the procedure are placed on the 
stack. The parameters are copied to the new stack. The parameters can be accessed 
within the called procedure using the same relative addresses which would have been 
used if no stack switching had occurred. The count field of a call gate tells the processor 
how many doublewords (up to 31) to copy from the caller's stack to the stack of the 
called procedure. If the count is 0, no parameters are copied. 

If more than 31 doublewords of data need to be passed to the called procedure, one of 
the parameters can be a pointer to a data structure, or the saved contents of the SS and 
ESP registers may be used to access parameters in the old stack space. 

The processor performs the following stack-related steps in executing a procedure call 
between privilege levels. 

1. The stack of the called procedure is checked to make certain it is large enough to 
hold the parameters and the saved contents of registers; if not, a stack exception is 
generated. 

2. The old contents of the SS and ESP registers are pushed onto the stack of the called 
procedure as two doublewords (the 16-bit SS register is zero-extended to 32 bits; the 
zero-extended upper word is Intel® reserved; do not use). 

3. The parameters are copied from the stack of the caller to the stack of the called 
procedure. 

4. A pointer to the instruction after the CALL instruction (the old contents of the CS 
and EIP registers) is pushed onto the new stack. The contents of the SS and ESP 
registers after the call point to this return pointer on the stack. 

Figure 6-9 illustrates the stack frame before, during, and after a successful interlevel 
procedure call and return. 

The TSS does not have a stack pointer for a privilege level 3 stack, because a procedure 
at privilege level 3 cannot be called by a less privileged procedure. The stack for privilege 
level 3 is preserved by the contents of the SS and EIP registers which have been saved on 
the stack of the privilege level called from level 3. 

A call using a call gate does not check the values of the words copied onto the new stack. 
The called procedure should check each parameter for validity. A later section discusses 
how the ARPL, VERR, VERW, LSL, and LAR instructions can be used to check 
pointer values. 
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OLD STACK, 
BEFORE CALL: 


-< ESP 


NEW STACK, 
AH ER CALL, 
BEFORE RETURN: 


^1^ ESP 


OLD STACK, 
AFTER RETURN: 


-< ESP 
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OLDSS 




OLD ESP 




FARM 1 


PARM 1 




PARM 2 


PARM 2 




PARM 3 


PARM 3 






OLDCS 






OLD EIP 















Figure 6-9. Stack Frame during Interlevel Call 
6.5.2 Returning from a Procedure 

The "near" forms of the RET instruction only transfer control within the current code 
segment, therefore are subject only to limit checking. The offset to the instruction fol- 
lowing the CALL instruction is popped from the stack into the EIP register. The proces- 
sor checks that this offset does not exceed the limit of the current code segment. 

The "far" form of the RET instruction pops the return address which was pushed onto 
the stack by an earlier far CALL instruction. Under normal conditions, the return 
pointer is vahd, because it was generated by a CALL or INT instruction. Nevertheless, 
the processor performs privilege checking because of the possibility that the current 
procedure altered the pointer or failed to maintain the stack properly. The RPL of the 
code-segment selector popped off the stack by the return instruction should have the 
privilege level of the calling procedure. 

A return to another segment can change privilege levels, but only toward less privileged 
levels. When a RET instruction encounters a saved CS value whose RPL is numerically 
greater than the CPL (less privileged level), a return across privilege levels occurs. A 
return of this kind performs these steps: 

1. The checks shown in Table 6-2 are made, and the CS, EIP, SS, and ESP registers 
are loaded with their former values, which were saved on the stack. 
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Table 6-2. Interlevel Return Checks 



Type of Check 


Exception Type 


Error Code 


top-of-stack must be within stack segment limit 


stack 





top-of-stack + 7 must be within stack segment limit 


stack 





RPL of retum code segment must be greater than the CPL 


protection 


Return OS 


Return code segment selector must be non-null 


protection 


Return CS 


Return code segment descriptor must be within descriptor table 

limit 


protection 


Return CS 


nil III 

Return segment descriptor must be a codesegment 


protection 


Return CS 


Return code segment is present 


segment not present 


Return CS 


DPL of return non-conforming code segment must equal RPL of 


protection 


Return CS 


return code segment selector, or DPL of return conforming 






code segment must be less than or equal to RPL of return code 






segment selector 






ESP + N + 15* must be within the stack segment limit 


stack fault 


Return CS 


segment selector at ESP + N + 12* must be non-null 


protection 


Return CS 


segment descriptor at ESP +N +12* must be within descriptor 


protection 


Return CS 


table limit 






stack segment descriptor must be read/write 


protection 


Return CS 


stack segment must be present 


stack fault 


Return CS 


old stack segment DPL must be equal to RPL of old code seg- 

mpnt 


protection 


Return CS 


II ICl 11 

old stack segment selector must have an RPL equal to the DPL 


protection 


Return CS 


of the old stack segment 







*N is the value of the immediate operand supplied with the RET instruction. 

2. The old contents of the SS and ESP registers (from the top of the current stack) are 
adjusted by the number of bytes indicated in the RET instruction. The resulting ESP 
value is not checked against the limit of the stack segment. If the ESP value is 
beyond the limit, that fact is not recognized until the next stack operation. (The 
contents of the SS and ESP registers for the returning procedure are not preserved; 
normally, their values are the same as those contained in the TSS.) 

3. The contents of the DS, ES, FS, and GS segment registers are checked. If any of 
these registers refer to segments whose DPL is less than the new CPL (excluding 
conforming code segments), the segment register is loaded with the null selector 
(Index = 0, TI = 0). The RET instruction itself does not signal exceptions in these 
cases; however, any subsequent memory reference using a segment register contain- 
ing the null selector will cause a general-protection exception. This prevents less 
privileged code from accessing more privileged segments using selectors left in the 
segment registers by a more privileged procedure. 



6.5.3 Mixing 16 and 32-Bit Stacks 

When 80286 code is ported to the 386 DX microprocessor through system calls to level 0, 
there is 16-bit software at a user level (level 3) and 32-bit system software at the system 
level (level 0). To support the level transitions, there may be different mixes of stack 
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frames (16 or 32 bit) at these two levels. In addition, such calls have to go through call 
gates which may either be 16-bit or 32-bit call gates. Proper ESP update during CALLs 
and RETurns is necessary. ESP updates in cases involving 16-bit and 32-bit mixes are as 
follows: 



CALL From 


Using 


RET From 


ESP most sigr 


lif leant 16-bits 


(Level 3) 




(Level 0) 


After CALL 


After RET 


16-bit SS 


16-bit Gate 


16-bit SS 


Unchanged 


Unchanged 


16-bit SS 


16-bit Gate 


32-bit SS 


Correct 


Unchanged 


16-bit SS 


32-bit Gate 


16-bit SS 


Unchanged 


Unchanged 


16-bit SS 


32-blt Gate 


32-bit SS 


Correct 


Unchanged 


32-bit SS 


16-bit Gate 


16-bit SS 


Unchanged 


Not Reliable 


32-bit SS 


16-bit Gate 


32-bit SS 


Correct 


Not Reliabie 


32-bit SS 


32-bit Gate 


16-bit SS 


Unchanged 


Correct 


32-bit SS 


32-bit Gate 


32-bit SS 


Correct 


Correct 



NOTES: 

1 . Level 3 code is always 1 6-bit and Level code is always 32-bit. 

2. The current TSS is used to obtain the higher privilege level SS and (E)SP values. If the destination stack 
(the level stack in this case) is 32-bit, then the current TSS should also be 32-bit, so that the correct 
32-bit ESP is read to form the address for the pushes on the new (level 0) stack. In this case, the 16-bit 
code at level 3 should have 32-bit TSS, when the stack frame at the called level is 32-bit. 

3. If there is a call from a 32-bit SS using a 16-bit gate, then the upper 16-bits of ESP on RET are not 
reliable. This is because the gate size determines the length of the operands to be pushed on the return 
stack during the call. During RET, the same 16-bits of SP are read, but since the source stack is 32-bits 
the entire ESP is updated, not just ESP. 

6.6 INSTRUCTIONS RESERVED FOR THE OPERATING SYSTEM 

Instructions which can affect the protection mechanism or influence general system per- 
formance can only be executed by trusted procedures. The 386 DX microprocessor has 
two classes of such instructions: 

1. Privileged instructions — those used for system control. 

2. Sensitive instructions — those used for I/O and I/O-related activities. 

6.6.1 Privileged Instructions 

The instructions which affect protected facilities can be executed only when the CPL is 
(most privileged). If one of these instructions is executed when the CPL is not 0, a 
general-protection exception is generated. These instructions include: 



CLTS 

HLT 

LGDT 

LIDT 

LLDT 

LMSW 

LTR 



— Clear Task-Switched Flag 

— Halt Processor 

— Load GDT Register 
-Load IDT Register 

— Load LDT Register 

— Load Machine Status Word 

— Load Task Register 
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MOV to/from CRO -Move to Control Register 

MOV to/from DRn —Move to Debug Register n 

MOV to/from TRn -Move to Test Register n 



6.6.2 Sensitive Instructions 

Instructions which deal with I/O need to be protected, but they also need to be used by 
procedures executing at privilege levels other than (the most privileged level). The 
mechanisms for protection of I/O operations are covered in detail in Chapter 8. 



6.7 INSTRUCTIONS FOR POINTER VALIDATION 

Pointer validation is necessary for maintaining isolation between privilege levels. It con- 
sists of the following steps: 

1. Check if the supplier of the pointer is allowed to access the segment. 

2. Check if the segment type is compatible with its use. 

3. Check if the pointer offset exceeds the segment limit. 

Although the 386 DX microprocessor automatically performs checks 2 and 3 during 
instruction execution, software must assist in performing the first check. The ARPL 
instruction is provided for this purpose. Software also can use steps 2 and 3 to check for 
potential violations, rather than waiting for an exception to be generated. The LAR, 
LSL, VERR, and VERW instructions are provided for this purpose. 

LAR (Load Access Rights) is used to verify that a pointer refers to a segment of a 
compatible privilege level and type. The LAR instruction has one operand — a segment 
selector for a descriptor whose access rights are to be checked. The segment descriptor 
must be readable at a privilege level which is numerically greater (less privileged) than 
the CPL and the selector's RPL. If the descriptor is readable, the LAR instruction gets 
the second doubleword of the descriptor, masks this value with OOFxFFOOH, stores the 
result into the specified 32-bit destination register, and sets the ZF flag. (The x indicates 
that the corresponding four bits of the stored value are undefined.) Once loaded, the 
access rights can be tested. All valid descriptor types can be tested by the LAR instruc- 
tion. If the RPL or CPL is greater than the DPL, or if the segment selector would exceed 
the limit for the descriptor table, no access rights are returned, and the ZF flag is 
cleared. Conforming code segments may be accessed from any privilege level. 

LSL (Load Segment Limit) allows software to test the limit of a segment descriptor. If 
the descriptor referenced by the segment selector (in memory or a register) is readable 
at the CPL, the LSL instruction loads the specified 32-bit register with a 32-bit, byte 
granular limit calculated from the concatenated limit fields and the G bit of the descrip- 
tor. This only can be done for descriptors which describe segments (data, code, task 
state, and local descriptor tables); gate descriptors are inaccessible. (Table 6-3 lists in 
detail which types are valid and which are not.) Interpreting the limit is a function of the 
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Table 6-3 


. Valid Descriptor Types for LSL Instruction 


Type Code 


Descriptor Type 


Valid? 





Reserved 


no 


1 


reserved 


no 


2 


LDT 


yes 


3 


reserved 


no 


4 


reserved 


no 


5 


Task Gate 


no 


6 


reserved 


no 


7 


reserved 


no 


8 


reserved 


no 


9 


Available 386™ DX TSS 


yes 


A 


reserved 


no 


B 


Busy 386 DX TSS 


yes 


C 


386 DX Call Gate 


no 


D 


reserved 


no 


E 


386 DX Interrupt Gate 


no 


F 


386 DX Trap Gate 


no 



segment type. For example, downward-expandable data segments (stack segments) treat 
the limit differently than other kinds of segments. For both the LAR and LSL instruc- 
tions, the ZF flag is set if the load was successful; otherwise, the ZF flag is cleared. 



6.7.1 Descriptor Validation 

The 386 DX microprocessor has two instructions, VERR and VERW, which determine 
whether a segment selector points to a segment which can be read or written using the 
CPL. Neither instruction causes a protection fault if the segment cannot be accessed. 

VERR (Verify for Reading) verifies a segment for reading and sets the ZF flag if that 
segment is readable using the CPL. The VERR instruction checks the following: 

• The segment selector points to a segment descriptor within the bounds of the GDT or 
an LDT. 

• The segment selector indexes to a code or data segment descriptor. 
® The segment is readable and has a compatible privilege level. 

The privilege check for data segments and nonconforming code segments verifies that 
the DPL must be a less privileged level than either the CPL or the selector's RPL. 
Conforming segments are not checked for privilege level. 

VERW (Verify for Writing) provides the same capability as the VERR instruction for 
verifying writability. Like the VERR instruction, the VERW instruction sets the ZF flag 
if the segment can be written. The instruction verifies the descriptor is within bounds, is 
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a segment descriptor, is writable, and has a DPL which is a less privileged level than 
either the CPL or the selector's RPL. Code segments are never writable, whether con- 
forming or not. 



6.7.2 Pointer Integrity and RPL 

The requested privilege level (RPL) can prevent accidental use of pointers v/hich crash 
more privileged code from a less privileged level. 

A common example is a file system procedure, PRE AD (file_id, n_bytes, buffer_ptr). 
This hypothetical procedure reads data from a disk file into a buffer, overwriting what- 
ever is already there. It services requests from programs operating at the application 
level, but it must run in a privileged mode in order to read from the system I/O buffer. If 
the application program passed this procedure a bad buffer pointer, one which pointed 
at critical code or data in a privileged address space, the procedure could cause damage 
which would crash the system. 

Use of the RPL can avoid this problem. The RPL allows a privilege override to be 
assigned to a selector. This privilege override is intended to be the privilege level of the 
code segment which generated the segment selector. In the above example, the RPL 
would be the CPL of the application program which called the system level procedure. 
The 386 DX microprocessor automatically checks any segment selector loaded into a 
segment register to determine whether its RPL allows access. 

To take advantage of the processor's checking of the RPL, the called procedure need 
only check that all segment selectors passed to it have an RPL for the same or a less 
privileged level as the original caller's CPL. This guarantees that the segment selectors 
are not more privileged than their source. If a selector is used to access a segment which 
the source would not be able to access directly, i.e., the RPL is less privileged than the 
segment's DPL, a general-protection exception is generated when the selector is loaded 
into a segment register. 

ARPL (Adjust Requested Privilege Level) adjusts the RPL field of a segment selector to 
be the larger (less privileged) of its original value and the value of the RPL field for a 
segment selector stored in a general register. The RPL fields are the two least significant 
bits of the segment selector and the register. The latter normally is a copy of the caller's 
CS register on the stack. If the adjustment changes the selector's RPL, the ZF flag is set; 
otherwise, the ZF flag is cleared. 



6.8 PAGE-LEVEL PROTECTION 

Protection applies to both segments and pages. When the flat model for memory seg- 
mentation has been used, page-level protection prevents programs from interfering with 
each other. 
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Each memory reference is checked to verify that it satisfies the protection checks. All 
checks are made before the memory cycle is started; any violation prevents the cycle 
from starting and results in an exception. Because checks are performed in parallel with 
address translation, there is no performance penalty. There are two page-level protec- 
tion checks: 

1. Restriction of addressable domain 

2. Type checking 

A protection violation results in an exception. See Chapter 9 for an explanation of the 
exception mechanism. This chapter describes the protection violations which lead to 
exceptions. 



6.8.1 Page-Table Entries Hold Protection Parameters 

Figure 6-10 highlights the fields of a page table entry which control access to pages. The 
protection checks are applied for both first- and second-level page tables. 

6.8.1.1 RESTRICTING ADDRESSABLE DOMAIN 

Privilege is interpreted differently for pages and segments. With segments, there are four 
privilege levels, ranging from (most privileged) to 3 (least privileged). With pages, 
there are two levels of privilege: 

1. Supervisor level (U/S = 0) — for the operating system, other system software (such as 
device drivers), and protected system data (such as page tables). 

2. User level (U/S = l) — for application code and data. 

The privilege levels used for segmentation are mapped into the privilege levels used for 
paging. If the CPL is 0, 1, or 2, the processor is running at supervisor level. If the CPL is 
3, the processor is running at user level. 




- READ/WRITE 
USER /SUPERVISOR 
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Figure 6-10. Protection Fields of a Page Table Entry 
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When the processor is running at supervisor level, all pages are accessible. When the 
processor is running at user level, only pages from the user level are accessible. 

6.8.1.2 TYPE CHECKING 

Only two types of pages are recognized by the protection mechanism: 

1. Read-only access (RAV = 0) 

2. Read/write access (RAV = 1) 

When the processor is running at supervisor level, all pages are both readable and writ- 
able (write-protection is ignored). When the processor is running at user level, only 
pages which belong to user level and are marked for read/write access are writable. 
User-level pages which are read/write or read-only are readable. Pages from the super- 
visor level are neither readable nor writable from user level. A general-protection excep- 
tion is generated on any attempt to violate the protection rules. 



6.8.2 Combining Protection of Both Levels of Page Tables 

For any one page, the protection attributes of its page directory entry (first-level page 
table) may differ from those of its second-level page table entry. The 386 DX micropro- 
cessor checks the protection for a page by examining the protection specified in both the 
page directory (first-level page table) and the second-level page table. Table 6-4 shows 
the protection provided by the possible combinations of protection attributes. 



Table 6-4. Combined Page Directory and Page Tabie Protection 


Page Directory Entry 


Page Table Entry 


Combined Effect 


Privilege 


Access Type 


Privilege 


Access Type 


Privilege 


Access Type 


User 


Read-Oniy 


User 


Read-Only 


User 


Read-Only 


User 


Read-Only 


User 


Read-Write 


User 


Read-Only 


User 


Read-Write 


User 


Read-Only 


User 


Read-Only 


User 


Read-Write 


User 


Read-Write 


User 


Read/Write 


User 


Read-Only 


Supervisor 


Read-Only 


User 


Read-Only 


User 


Read-Only 


Supervisor 


Read-Write 


User 


Read-Only 


User 


Read-Write 


Supervisor 


Read-Only 


User 


Read-Only 


User 


Read-Write 


Supervisor 


Read-Write 


User 


Read/Write 


Supervisor 


Read-Only 


User 


Read-Only 


User 


Read-Only 


Supervisor 


Read-Only 


User 


Read-Write 


User 


Read-Only 


Supervisor 


Read-Write 


User 


Read-Only 


User 


Read-Only 


Supervisor 


Read-Write 


User 


Read-Write 


User 


Read/Write 


Supervisor 


Read-only 


Supervisor 


Read-Only 


Supervisor 


Read/Write 


Supervisor 


Read-Only 


Supervisor 


Read-Write 


Supervisor 


Read/Write 


Supervisor 


Read-Write 


Supervisor 


Read-Only 


Supervisor 


Read/Write 


Supervisor 


Read-Write 


Supervisor 


Read-Write 


Supervisor 


Read/Write 
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6.8.3 Overrides to Page Protection 

Certain accesses are checked as if they are privilege-level accesses, for any value of 
CPL: 

o Access to segment descriptors (LDT, GDT, TSS and IDT). 

© Access to inner stack during a CALL instruction, or exceptions and interrupts, when 
a change of privilege level occurs. 

6.9 COIVIBINING PAGE AND SEGfVIENT PROTECTION 

When paging is enabled, the 386 DX microprocessor first evaluates segment protection, 
then evaluates page protection. If the processor detects a protection violation at either 
the segment level or the page level, the operation does not go through; an exception 
occurs instead. If an exception is generated by segmentation, no paging exception is 
generated for the operation. 

For example, it is possible to define a large data segment which has some parts which are 
read-only and other parts which are read-write. In this case, the page directory (or page 
table) entries for the read-only parts would have the U/S and RAV bits specifying no 
write access for all the pages described by that directory entry (or for individual pages 
specified in the second-level page tables). This technique might be used, for example, to 
define a large data segment, part of which is read-only (for shared data or ROMmed 
constants). This defines a "flat" data space as one large segment, with "flat" pointers 
used to access this "flat" space, while protecting shared data, shared files mapped into 
the virtual space, and supervisor areas. 
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CHAPTER 7 
MULTITASKING 

The 386™ DX microprocessor provides hardware support for multitasking. A task is a 
program which is running, or waiting to run while another program is running. A task is 
invoked by an interrupt, exception, jump, or call. When one of these forms of transfer- 
ring execution is used with a destination specified by an entry in one of the descriptor 
tables, this descriptor can be a type which causes a new task to begin execution after 
saving the state of the current task. There are two types of task-related descriptors which 
can occur in a descriptor table: task state segment descriptors and task gates. When 
execution is passed to either kind of descriptor, a task switch occwx^. 

A task switch is like a procedure call, but it saves more processor state information. A 
procedure call only saves the contents of the general registers, and it might save the 
contents of only one register (the EIP register). A procedure call pushes the contents of 
the saved registers on the stack, in order that a procedure may call itself. When a 
procedure calls itself, it is said to be re-entrant. 

A task switch transfers execution to a completely new environment, the environment of a 
task. This requires saving the contents of nearly all the processor registers, such as the 
EFLAGS register. Unlike procedures, tasks are not re-entrant. A task switch does not 
push anything on the stack. The processor state information is saved in a data structure 
in memory, called a task state segment. 

The registers and data structures which support multitasking are: 

® Task state segment 

• Task state segment descriptor 

o Task register 

© Task gate descriptor 

With these structures, the 386 DX microprocessor can switch execution from one task to 
another, with the context of the original task saved to allow the task to be restarted. In 
addition to the simple task switch, the 386 DX microprocessor offers two other task- 
management features: 

1. Interrupts and exceptions can cause task switches (if needed in the system design). 
The processor not only performs a task switch to handle the interrupt or exception, 
but it automatically switches back when the interrupt or exception returns. Inter- 
rupts may occur during interrupt tasks. 

2. With each switch to another task, the 386 DX microprocessor also can switch to 
another LDT. This can be used to give each task a different logical-to-physical 
address mapping. This is an additional protection feature, because tasks can be 
isolated and prevented from interfering with one another. The PDBR register also is 
reloaded. This allows the paging mechanism to be used to enforce the isolation 
between tasks. 
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Use of the multitasking mechanism is optional. In some applications, it may not be the 
best way to manage program execution. Where extremely fast response to interrupts is 
needed, the time required to save the processor state may be too great. A possible 
compromise in these situations is to use the task-related data structures, but perform 
task switching in software. This allows a smaller processor state to be saved. This tech- 
nique can be one of the optimizations used to enhance system performance after the 
basic functions of a system have been implemented. 



7.1 TASK STATE SEGMENT 

The processor state information needed to restore a task is saved in a type of segment, 
called a task state segment or TSS. Figure 7-1 shows the format of a TSS for a 386 DX 
CPU (compatibility with 80286 tasks is provided by a different kind of TSS; see 
Chapter 13). The fields of a TSS are divided into two main categories: 

1. Dynamic fields the processor updates with each task switch. These fields store: 

• The general registers (EAX, ECX, EDX, EBX, ESP, EBP, ESI, and EDI). 

• The segment registers (ES, CS, SS, DS, FS, and GS). 

• The flags register (EFLAGS). 

• The instruction pointer (EIP). 

o The selector for the TSS of the previous task (updated only when a return is 
expected). 

2. Static fields the processor reads, but does not change. These fields are set up when 
a task is created. These fields store: 

• The selector for the task's LDT. 

• The logical address of the stacks for privilege levels 0, 1, and 2. 

• The T-bit (debug trap bit) which, when set, causes the processor to raise a debug 
exception when a task switch occurs. (See Chapter 12 for more information on 
debugging.) 

• The base address for the I/O permission bit map. If present, this map is stored in 
the TSS at higher addresses. The base address points to the beginning of the 
map. (See Chapter 8 for more information about the I/O permission bit map.) 

If paging is used, it is important to avoid placing a page boundary within the part of the 
TSS which is read by the processor during a task switch (the first 108 bytes). If a page 
boundary is placed within this part of the TSS, the pages on either side of the boundary 
must be present at the same time. It is an unrecoverable error to receive a page fault or 
general-protection exception after the processor has started to read the TSS. 

7.2 TSS DESCRIPTOR 

The task state segment, like all other segments, is defined by a descriptor. Figure 7-2 
shows the format of a TSS descriptor. 
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31 23 15 ,7 


64 

60 

SC 

58 

54 

50 

4C 

48 

44 

40 

3C 

38 

34 

30 

2C 

28 

24 

20 

1C 

18 

14 

10 

OC 

8 

4 
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I/O MAP BASE 


0000000 00000 |t 


000 0000000000000 


LDT 


0000000 00000000 


GS 


0000000000000000 


FS 


0000000000000000 


DS 


0000000000000000 


SS 


000000000000 


CS 


0000000000000000 


ES 


EDI 


ESI 


EBP 


ESP 


EBX 


EDX 


ECX 


EAX 


EFLAGS 


INSTRUCTION POINTER (EIP) 


CR3 ' (PDPR) 


00000000 OOOOOOOOJ SS2 


ESP2 


Ol SS1 


ESP1 


00000000 'oooooooo| SSO 


ESPO 


0000000000000000| BACK LINK TC) PREVIOUS TSS 




NOTE: MEANS INTEL RESERVED. DO NOT DEFINE. 



Figure 7-1 . Task State Segment 

The Busy bit in the Type field indicates whether the task is busy. A busy task is currently 
running or waiting to run. A Type field with a value of 9 indicates an inactive task; a 
value of 11 (decimal) indicates a busy task. Tasks are not re-entrant. The 386 DX mi- 
croprocessor uses the Busy bit to detect an attempt to call a task whose execution has 
been interrupted. 



The Base, Limit, and DPL fields and the Granularity bit and Present bit have functions 
similar to their use in data-segment descriptors. The Limit field must have a value equal 
to or greater than 67H, one byte less than the minimum size of a task state. An attempt 
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to switch to a task whose TSS descriptor has a Hmit less than 67H generates an excep- 
tion. A larger limit is required if an I/O permission map is used. A larger limit also may 
be required for the operating system, if the system stores additional data in the TSS. 

A procedure with access to a TSS descriptor can cause a task switch. In most systems, 
the DPL fields of TSS descriptors should be clear, so only privileged software can per- 
form task switching. 

Access to a TSS descriptor does not give a procedure the ability to read or modify the 
descriptor. Reading and modification only can be done using a data descriptor mapped 
to the same location in memory. Loading a TSS descriptor into a segment register gen- 
erates an exception. TSS descriptors only may reside in the GDT. An attempt to access 
a TSS using a selector with a set TI bit (which indicates the current LDT) generates an 
exception. 



7.3 TASK REGISTER 

The task register (TR) is used to find the current TSS. Figure 7-3 shows the path by 
which the processor accesses the TSS. 



31 



TSS DESCRIPTOR 



2 2 2 2 2 1111111111 
4321 09876543210987 



BASE 31 :24 


G 








A 
V 

L 


LIMIT 
19:16 


P 


D 
P 

L 


TYPE 

o|i|o|b|i 


BASE 23:16 


BASE ADDRESS 15:00 


SEGMENT LIMIT 15:00 



+ 4 



4-0 



AVL 


AVAILABLE FOR USE BY SYSTEM SOFTWARE 


B 


BUSY BIT 


BASE 


SEGMENT BASE ADDRESS 


DPL 


DESCRIPTOR PRIVILEGE LEVEL 


DT 


DESCRIPTOR TYPE 
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Figure 7-2. TSS Descriptor 
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Figure 7-3. TR Register 
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The task register has both a "visible" part (i.e., a part which can be read and changed by 
software) and an "invisible" part (i.e., a part maintained by the processor and inaccessi- 
ble to software). The selector in the visible portion indexes to a TSS descriptor in the 
GDT. The processor uses the invisible portion of the TR register to retain the base and 
limit values from the TSS descriptor. Keeping these values in a register makes execution 
of the task more efficient, because the processor does not need to fetch these values 
from memory to reference the TSS of the current task. 

The LTR and STR instructions are used to modify and read the visible portion of the 
task register. Both instructions take one operand, a 16-bit segment selector located in 
memory or a general register. 

LTR (Load task register) loads the visible portion of the task register with the operand, 
which must index to a TSS descriptor in the GDT. The LTR instruction also loads the 
invisible portion with information from the TSS descriptor. The LTR instruction is a 
privileged instruction; it may be executed only when the CPL is 0. The LTR instruction 
generally is used during system initialization to put an initial value in the task register; 
afterwards, the contents of the TR register are changed by events which cause a task 
switch. 

STR (Store task register) stores the visible portion of the task register in a general 
register or memory. The STR instruction is not privileged. 



7.4 TASK GATE DESCRIPTOR 

A task gate descriptor provides an indirect, protected reference to a task. Figure 7-4 
illustrates the format of a task gate. 
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Figure 7-4. Task Gate Descriptor 
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The Selector field of a task gate indexes to a TSS descriptor. The RPL in this selector is 
not used. 

The DPL of a task gate controls access to the descriptor for a task switch. A procedure 
may not select a task gate descriptor unless the selector's RPL and the CPL of the 
procedure are numerically less than or equal to the DPL of the descriptor. This prevents 
less privileged procedures from causing a task switch. (Note that when a task gate is 
used, the DPL of the destination TSS descriptor is not used.) 

A procedure with access to a task gate can cause a task switch, as can a procedure with 
access to a TSS descriptor. Both task gates and TSS descriptors are provided to satisfy 
three needs: 

1. The need for a task to have only one Busy bit. Because the Busy bit is stored in the 
TSS descriptor, each task should have only one such descriptor. There may, how- 
ever, be several task gates which select a single TSS descriptor. 

2. The need to provide selective access to tasks. Task gates fill this need, because they 
can reside in an LDT and can have a DPL which is different from the TSS descrip- 
tor's DPL. A procedure which does not have sufficient privilege to use the TSS 
descriptor in the GDT (which usually has a DPL of 0) can still call another task if it 
has access to a task gate in its LDT. With task gates, the operating system can limit 
task switching to specific tasks. 

3. The need for an interrupt or exception to cause a task switch. Task gates also may 
reside in the IDT, which allows interrupts and exceptions to cause task switching. 
When an interrupt or exception supplies a vector to a task gate, the 386 DX micro- 
processor switches to the indicated task. 

Figure 7-5 illustrates how both a task gate in an LDT and a task gate in the IDT can 
identify the same task. 



7.5 TASK SWITCHING 

The 386 DX microprocessor transfers execution to another task in any of four cases: 

1. The current task executes a JMP or CALL to a TSS descriptor. 

2. The current task executes a JMP or CALL to a task gate. 

3. An interrupt or exception indexes to a task gate in the IDT. 

4. The current task executes an IRET when the NT flag is set. 

The JMP, CALL, and IRET instructions, as well as interrupts and exceptions, are all 
ordinary mechanisms of the 386 DX microprocessor which can be used in circumstances 
in which no task switch occurs. The descriptor type (when a task is called) or the NT flag 
(when the task returns) make the difference between the standard mechanism and the 
form which causes a task switch. 
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Figure 7-5. Task Gates Reference Tasks 

To cause a task switch, a JMP or CALL instruction can transfer execution to either a 
TSS descriptor or a task gate. The effect is the same in either case: the 386 DX micro- 
processor transfers execution to the specified task. 

An exception or interrupt causes a task switch when it indexes to a task gate in the IDT. 
If it indexes to an interrupt or trap gate in the IDT, a task switch does not occur. See 
Chapter 9 for more information on the interrupt mechanism. 
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An interrupt service routine always returns execution to the interrupted procedure, 
which may be in another task. If the NT flag is clear, a normal return occurs. If the NT 
flag is set, a task switch occurs. The task receiving the task switch is specified by the TSS 
selector in the TSS of the interrupt service routine. 

A task switch has these steps: 

1. Check that the current task is allowed to switch to the new task. Data-access privi- 
lege rules apply to JMP and CALL instructions. The DPL of the TSS descriptor and 
the task gate must be greater than or equal to both the CPL and the RPL of the gate 
selector. Exceptions, interrupts, and IRET instructions are permitted to switch tasks 
regardless of the DPL of the destination task gate or TSS descriptor. 

2. Check that the TSS descriptor of the new task is marked present and has a valid 
limit (greater than or equal to 67H). Any errors up to this point occur in the context 
of the current task. These errors restore any changes made in the processor state 
when an attempt is made to exercute the error-generating instruction. This lets the 
return address for the exception handler point to the error-generating instruction, 
rather than the instruction following the error-generating instruction. The exception 
handler can fix the condition which caused the error, and restart the task. The 
intervention of the exception handler can be completely transparent to the applica- 
tion program. 

3. Save the state of the current task. The processor finds the base address of the 
current TSS in the task register. The processor registers are copied into the current 
TSS (the EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI, ES, CS, SS, DS, FS, GS, 
and EFLAGS registers). 

4. Load the TR register with the selector to the new task's TSS descriptor, set the new 
task's Busy bit, and set the TS bit in the CRO register. The selector is either the 
operand of a JMP or CALL instruction, or it is taken from a task gate. 

5. Load the new task's state from its TSS and continue execution. The registers loaded 
are the LDTR register; the EFLAGS register; the general registers EIP, EAX, 
ECX, EDX, EBX, ESP, EBP, ESI, EDI; and the segment registers ES, CS, SS, DS, 
FS, and GS. Any errors detected in this step occur in the context of the new task. To 
an exception handler, the first instruction of the new task appears not to have 
executed. 

Note that the state of the old task is always saved when a task switch occurs. If the task 
is resumed, execution starts with the instruction which normally would have been next. 
The registers are restored to the values they held when the task stopped running. 

Every task switch sets the TS (task switched) bit in the CRO register. The TS bit is useful 
to system software when a coprocessor (such as a numerics coprocessor) is present. The 
TS bit indicates that the context of the coprocessor may be different from that of the 
current task. Chapter 11 discusses the TS bit and coprocessors in more detail. 

Exception service routines for exceptions caused by task switching (exceptions resulting 
from steps 5 through 17 shown in Table 7-1) may be subject to recursive calls if they 
attempt to reload the segment selector which generated the exception. The cause of the 
exception (or the first of multiple causes) should be fixed before reloading the selector. 
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Table 7-1. Checks Made during a Task Switch 



Step 


Condition Checked 


Exception^ 


Error Code Reference 


1 
2 
3 


TSS descriptor is present in memory 

TSS descriptor is not busy 

TSS segment limit greater than or equal to 103 


NP 
GP 
TS 


New Task's TSS 
New Task's TSS 
New Task's TSS 


4 


Registers are loaded from the values in the TSS 


5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 


LDT selector of new task is valid^ 

Code segment DPL matches selector RPL 

SS selector is valid^ 

Stack segment is present In memory 

Stack segment DPL matches CPL 

LDT of new task is present in memory 

CS selector is valid^ 

Code segment is present in memory 

Stack segment DPL matches selector RPL 

DS, ES, FS, and GS selectors are valid^ 

DS, ES, FS, and GS segments are readable 

DS, ES, FS, and GS segments are present in memory 

DS, ES, FS, and GS segment DPL greater than or equal 

to CPL (unless these are conforming segments) 


TS 
TS 
TS 
SF 
TS 
TS 
TS 
NP 
TS 
TS 
TS 
NP 
TS 


New Task's TSS 
New Code Segment 
New Stack Segment 
New Stack Segment 
New Stack Segment 
New Task's TSS 
New Code Segment 
New Code Segment 
New Stack Segment 
New Data Segment 
New Data Segment 
New Data Segment 
New Data Segment 



1. NP = Segment-not-present exception, GP = General-protection exception, TS = Invalid-TSS excep- 
tion, SF = Stack exception. 

2. A selector is valid if it is in the compatible type of table (e.g., an LDT selector may not be in any table 
except the GDT), occupies an address within the table's segment limit, and refers to a compatible type of 
descriptor (e.g. a selector in the CS register only is valid when it indexes to a descriptor for a code 
segment; the descriptor type is specified in its Type field). 



The privilege level at which the old task was running has no relation to the privilege level 
of the new task. Because the tasks are isolated by their separate address spaces and task 
state segments, and because privilege rules control access to a TSS, no privilege checks 
are needed to perform a task switch. The new task begins executing at the privilege level 
indicated by the RPL of new contents of the CS register, which are loaded from the TSS. 



7.6 TASK LINKING 

The Link field of the TSS and the NT flag are used to return execution to the previous 
task. The NT flag indicates whether the currently executing task is nested within the 
execution of another task, and the Link field of the current task's TSS holds the TSS 
selector for the higher-level task, if there is one (see Figure 7-6). 

When an interrupt, exception, jump, or call causes a task switch, the 386 DX micropro- 
cessor copies the segment selector for the current task state segment into the TSS for the 
new task and sets the NT flag. The NT flag indicates the Link field of the TSS has been 
loaded with a saved TSS selector. The new task releases control by executing an IRET 
instruction. When an IRET instruction is executed, the NT flag is checked. If it is set, 
the processor does a task switch to the previous task. Table 7-2 summarizes the uses of 
the fields in a TSS which are affected by task switching. 
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Figure 7-6. Nested Tasks 



Table 7-2. Effect of a Task Switch on Busy, NT, and Link Fields 



Field 


Effect of Jump 


Effect of CALL 
Instruction or Interrupt 


Effect of IRET 
Instruction 


Busy bit of new 
task 


Bit is set. Must have 
been clear before. 


Bit is set. Must have been 
clear before. 


No change. Must be 
set. 


Busy bit of old 
task 


Bit is cleared. 


No change. Bit is 
currently set. 


Bit is cleared. 


NT flag of new 
task 


Flag is cleared. 


Flag is set. 


No change. 


NT flag of old 
task 


No change. 


No change. 


Flag is cleared. 


Link field of new 
task. 


No change. 


Loaded with selector for 
old task's TSS. 


No change. 


Link field of old 
task. 


No change. 


No change. 


No change. 



7-11 



intei' 



MULTITASKING 



Note that the NT flag may be modified by software executing at any privilege level. It is 
possible for a program to set its NT bit and execute an IRET instruction, which would 
have the effect of invoking the task specified in the Link field of the current task's TSS. 
To keep spurious task switches from succeeding, the operating system should initialize 
the Link field of every TSS it creates. 



7.6.1 Busy Bit Prevents Loops 

The Busy bit of the TSS descriptor prevents re-entrant task switching. There is only one 
saved task context, the context saved in the TSS, therefore a task only may be called 
once before it terminates. The chain of suspended tasks may grow to any length, due to 
multiple interrupts, exceptions, jumps, and calls. The Busy bit prevents a task from being 
called if it is in this chain. A re-entrant task switch would overwrite the old TSS for the 
task, which would break the chain. 

The processor manages the Busy bit as follows: 

1. When switching to a task, the processor sets the Busy bit of the new task. 

2. When switching from a task, the processor clears the Busy bit of the old task if that 
task is not to be placed in the chain (i.e., the instruction causing the task switch is a 
JMP or IRET instruction). If the task is placed in the chain, its Busy bit remains set. 

3. When switching to a task, the processor generates a general-protection exception if 
the Busy bit of the new task already is set. 

In this way, the processor prevents a task from switching to itself or to any task in the 
chain, which prevents re-entrant task switching. 

The Busy bit may be used in multiprocessor configurations, because the processor as- 
serts a bus lock when it sets or clears the Busy bit. This keeps two processors from 
invoking the same task at the same time. (See Chapter 11 for more information on 
multiprocessing.) 



7.6.2 Modifying Task Linkages 

Modification of the chain of suspended tasks may be needed to resume an interrupted 
task before the task which interrupted it. A reliable way to do this is: 

1. Disable interrupts. 

2. First change the Link field in the TSS of the interrupting task, then clear the Busy 
bit in the TSS descriptor of the task being removed from the chain. 

3. Re-enable interrupts. 
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7.7 TASK ADDRESS SPACE 

The LDT selector and PDBR (CR3) field of the TSS can be used to give each task its 
own LDT and page tables. Because segment descriptors in the LDTs are the connections 
between tasks and segments, separate LDTs for each task can be used to set up individ- 
ual control over these connections. Access to any particular segment can be given to any 
particular task by placing a segment descriptor for that segment in the LDT for that task. 
If paging is enabled, each task can have its own set of page tables for mapping linear 
addresses to physical addresses. 

It also is possible for tasks to have the same LDT. This is a simple and memory-efficient 
way to allow some tasks to communicate with or control each other, without dropping 
the protection barriers for the entire system. 

Because all tasks have access to the GDT, it also is possible to create shared segments 
accessed through segment descriptors in this table. 



7.7.1 Task Linear-to-Physical Space Mapping 

The choices for arranging the linear-to-physical mappings of tasks fall into two general 
classes: 

L One linear-to-physical mapping shared among all tasks. When paging is not enabled, 
this is the only choice. Without paging, all linear addresses map to the same physical 
addresses. When paging is enabled, this form of linear-to-physical mapping is ob- 
tained by using one page directory for all tasks. The linear space may exceed the 
available physical space if demand-paged virtual memory is supported. 

2. Independent linear-to-physical mappings for each task. This form of mapping comes 
from using a different page directory for each task. Because the PDBR (page direc- 
tory base register) is loaded from the TSS with each task switch, each task may have 
a different page directory. 

The linear address spaces of different tasks may map to completely distinct physical 
addresses. If the entries of different page directories point to different page tables and 
the page tables point to different pages of physical memory, then the tasks do not share 
any physical addresses. 

The task state segments must lie in a space accessible to all tasks so that the mapping of 
TSS addresses does not change while the processor is reading and updating the TSSs 
during a task switch. The linear space mapped by the GDT also should be mapped to a 
shared physical space; otherwise, the purpose of the GDT is defeated. Figure 7-7 shows 
how the linear spaces of two tasks can overlap in the physical space by sharing page 
tables. 
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Figure 7-7. Overlapping Linear-to-Physical Mappings 
7.7.2 Task Logical Address Space 



By itself, an overlapping linear-to-physical space mapping does not allow sharing of data 
among tasks. To share data, tasks must also have a common logical-to-linear space map- 
ping; i.e., they also must have access to descriptors which point into a shared linear 
address space. There are three ways to create shared logical-to-physical address-space 
mappings: 



1. Through the segment descriptors in the GDT. All tasks have access to the descrip- 
tors in the GDT. If those descriptors point into a linear-address space which is 
mapped to a common physical-address space for all tasks, then the tasks can share 
data and instructions. 

2. Through shared LDTs. Two or more tasks can use the same LDT if the LDT selec- 
tors in their TSSs select the same LDT for use in address translation. Segment 
descriptors in the LDT addressing linear space mapped to overlapping physical 
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space provide shared physical memory. This method of sharing is more selective 
than sharing by the GDT; the sharing can be limited to specific tasks. Other tasks in 
the system may have different LDTs which do not give them access to the shared 
areas. 

3. Through segment descriptors in the LDTs which map to the same linear address 
space. If the linear address space is mapped to the same physical space by the page 
mapping of the tasks involved, these descriptors permit the tasks to share space. 
Such descriptors are commonly called "aliases." This method of sharing is even 
more selective than those listed above; other descriptors in the LDTs may point to 
independent linear addresses which are not shared. 
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CHAPTER 8 
INPUT/OUTPUT 

This chapter explains the input/output architecture of the 386™ DX microprocessor. 
Input/output is accompHshed through I/O ports, which are registers connected to periph- 
eral devices. An I/O port can be an input port, an output port, or a bidirectional port. 
Some I/O ports are used for carrying data, such as the transmit and receive registers of a 
serial interface. Other I/O ports are used to control peripheral devices, such as the 
control registers of a disk controller. 

The input/output architecture is the programmer's model of how these ports are 
accessed. The discussion of this model includes: 

• Methods of addressing I/O ports. 

• Instructions which perform I/O operations. 

• The I/O protection mechanism. 



8.1 I/O ADDRESSING 

The 386 DX microprocessor allows I/O ports to be addressed in either of two ways: 

o Through a separate I/O address space accessed using I/O instructions. 

• Through memory-mapped I/O, where I/O ports appear in the address space of phys- 
ical memory. 

The use of a separate I/O address space is supported by special instructions and a 
hardware protection mechanism. When memory-mapped I/O is used, the general- 
purpose instruction set can be used to access I/O ports, and protection is provided using 
segmentation or paging. Some system designers may prefer to use the I/O facilities built 
into the processor, while others may prefer the simplicity of a single physical address 
space. 

If segmentation or paging is used for protection of the I/O address space, the AVL fields 
in segment descriptors or page table entries may be used to mark pages containing I/O 
as unrelocatable and unswappable. The AVL fields are provided for this kind of use, 
where a system programmer needs to make an extension to the address translation and 
protection mechanisms. 

Hardware designers use these ways of mapping I/O ports into the address space when 
they design the address decoding circuits of a system. I/O ports can be mapped twice, so 
that they appear in both the I/O address space and the address space of physical mem- 
ory. System programmers may wish to tell the hardware designers what kind of I/O 
addressing they would like to have. 

8-1 



intel' 



INPUT/OUTPUT 



8.1.1 I/O Address Space 

The 386 DX microprocessor provides a separate I/O address space, distinct from the 
address space for physical memory, where I/O ports can be placed. The I/O address 
space consists of 2 (64K) individually addressable 8-bit ports; any two consecutive 8-bit 
ports can be treated as a 16-bit port, and any four consecutive ports can be a 32-bit port. 
Extra bus cycles are required if a port crosses the boundary between two doublewords in 
physical memory. 

The M/IO# pin on the 386 DX microprocessor indicates when a bus cycle to the I/O 
address space occurs. When a separate I/O address space is used, it is the responsibility 
of the hardware designer to make use of this signal to select I/O ports rather than 
memory. In fact, the use of the separate I/O address space simplifies the hardware 
design because these ports can be selected by a single signal; unlike other processors, it 
is not necessary to decode a number of upper address lines in order to set up a separate 
I/O address space. 

A program can specify the address of a port in two ways. With an immediate byte 
constant, the program can specify: 

• 256 8-bit ports numbered through 255. 

• 128 16-bit ports numbered 0, 2, 4, ... , 252, 254. 

• 64 32-bit ports numbered 0, 4, 8, ... , 248, 252. 

Using a value in the DX register, the program can specify: 

• 8-bit ports numbered through 65535. 

• 16-bit ports numbered 0, 2, 4, ... , 65532, 65534. 

• 32-bit ports numbered 0, 4, 8, ... , 65528, 65532. 

The 386 DX microprocessor can transfer 8, 16, or 32 bits to a device in the I/O space. 
Like words in memory, 16-bit ports should be aligned to even addresses so that all 16 bits 
can be transferred in a single bus cycle. Like doublewords in memory, 32-bit ports should 
be aligned to addresses which are multiples of four. The processor supports data trans- 
fers to unaligned ports, but there is a performance penalty because an extra bus cycle 
must be used. 

The IN and OUT instructions move data between a register and a port in the I/O 
address space. The instructions INS and OUTS move strings of data between the mem- 
ory address space and ports in the I/O address space. 

Note that I/O port addresses 0F8H through OFFH are reserved for use by Intel. Do not 
assign I/O ports to these addresses. Also note that the processor performs bus cycles to 
I/O addresses 800000F8H and 800000FCH as part of the coprocessor interface (these 
addresses are beyond the defined range of the I/O address space). 
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8.1.2 Memory-Mapped I/O 

I/O devices may be placed in the address space for physical memory. This is called 
memory-mapped I/O. As long as the devices respond like memory components, they can 
be used with memory-mapped I/O. 

Memory-mapped I/O provides additional programming flexibility. Any instruction which 
references memoiy may be used to access an I/O port located in the memory space. For 
example, the MOV instruction can transfer data between any register and a port. The 
AND, OR, and TEST instructions may be used to manipulate bits in the control and 
status registers of peripheral devices (see Figure 8-1). Memory-mapped I/O can use the 
full instruction set and the full complement of addressing modes to address I/O ports. 

Memory-mapped I/O, like any other memory reference, is subject to access protection 
and control. See Chapter 6 for a discussion of memory protection. 



8.2 I/O INSTRUCTIONS 

The I/O instructions of the 386 DX microprocessor provide access to the processor's I/O 
ports for the transfer of data. These instructions have the address of a port in the I/O 
address space as an operand. There are two kinds of I/O instructions: 

1. Those which transfer a single item (byte, word, or doubleword) to or from a register. 
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Figure 8-1. Memory-Mapped I/O 
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2. Those which transfer strings of items (strings of bytes, words, or doublewords) lo- 
cated in memory. These are known as "string I/O instructions" or "block I/O 
instructions." 

These instructions cause the M/IO# signal to be driven low (logic 0) during a bus cycle, 
which indicates to external hardware that access to the I/O address space is taking place. 
If memory-mapped I/O is used, there is no reason to use I/O instructions. 



8.2.1 Register I/O Instructions 

The I/O instructions IN and OUT move data between I/O ports and the EAX register 
(32-bit I/O), the AX register (16-bit I/O), or the AL (8-bit I/O) register. The IN and 
OUT instructions address I/O ports either directly, with the address of one of 256 port 
addresses coded in the instruction, or indirectly using an address in the DX register to 
select one of 64K port addresses. 

IN (Input from Port) transfers a byte, word, or doubleword from an input port to the 
AL, AX, or EAX registers. A byte IN instruction transfers 8 bits from the selected port 
to the AL register. A word IN instruction transfers 16 bits from the port to the AX 
register. A doubleword IN instruction transfers 32 bits from the port to the EAX 
register. 

OUT (Output from Port) transfers a byte, word, or doubleword from the AL, AX, or 
EAX registers to an output port. A byte OUT instruction transfers 8 bits from the AL 
register to the selected port. A word OUT instruction transfers 16 bits from the AX 
register to the port. A doubleword OUT instruction transfers 32 bits from the EAX 
register to the port. 



8.2.2 Block I/O Instructions 

The INS and OUTS instructions move blocks of data between I/O ports and memory. 
Block I/O instructions use an address in the DX register to address a port in the I/O 
address space. These instructions use the DX register to specify: 

• 8-bit ports numbered through 65535. 

• 16-bit ports numbered 0, 2, 4, ... , 65532, 65534. 

• 32-bit ports numbered 0, 4, 8, ... , 65528, 65532. 

Block I/O instructions use either the SI or DI register to address memory. For each 
transfer, the SI or DI register is incremented or decremented, as specified by the DF 
flag. 

The INS and OUTS instructions, when used with repeat prefixes, perform block input or 
output operations. The repeat prefix REP modifies the INS and OUTS instructions to 
transfer blocks of data between an I/O port and memory. These block I/O instructions 
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are string instructions (see Chapter 3 for more on string instructions). They simphfy 
programming and increase the speed of data transfer by ehminating the need to use a 
separate LOOP instruction or an intermediate register to hold the data. 

The string I/O instructions operate on byte strings, word strings, or doubleword strings. 
After each transfer, the memory address in the ESI or EDI registers is incremented or 
decremented by 1 for byte operands, by 2 for word operands, or by 4 for doubleword 
operands. The DF flag controls whether the register is incremented (the DF flag is 
clear) or decremented (the DF flag is set). 

INS (Input String from Port) transfers a byte, word, or doubleword string element from 
an input port to memory. The INSB instruction transfers a byte from the selected port to 
the memory location addressed by the ES and EDI registers. The INSW instruction 
transfers a word. The INSD instruction transfers a doubleword. A segment override 
prefix cannot be used to specify an alternate destination segment. Combined with a REP 
prefix, an INS instruction makes repeated read cycles to the port, and puts the data into 
consecutive locations in memory. 

OUTS (Output String from Port) transfers a byte, word, or doubleword string element 
from memory to an output port. The OUTSB instruction transfers a byte from the mem- 
ory location addressed by the ES and EDI registers to the selected port. The OUTSW 
instruction transfers a word. The OUTSD instruction transfers a doubleword. A segment 
override prefix cannot be used to specify an alternate source segment. Combined with a 
REP prefix, an OUTS instruction reads consecutive locations in memory, and writes the 
data to an output port. 



8.3 PROTECTION AND I/O 

The I/O architecture has two protection mechanisms: 

1. The lOPL field in the EFLAGS register controls access to the I/O instructions. 

2. The I/O permission bit map of a TSS segment controls access to individual ports in 
the I/O address space. 

These protection mechanisms are available only when a separate I/O address space is 
used. When memory-mapped I/O is used, protection is provided using segmentation or 
paging. 

8.3.1 I/O Privilege Level 

In systems where I/O protection is used, access to I/O instructions is controlled by the 
lOPL field in the EFLAGS register. This permits the operating system to adjust the 
privilege level needed to perform I/O. In a typical protection ring model, privilege levels 
and 1 have access to the I/O instructions. This lets the operating system and the device 
drivers perform I/O, but keeps applications and less privileged device drivers from ac- 
cessing the I/O address space. Applications access I/O through the operating system. 
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The following instructions can be executed only if CPL < lOPL: 



IN 


—Input 


INS 


— Input String 


OUT 


-Output 


OUTS 


— Output String 


CLI 


— Clear Interrupt-Enable Flag 


STI 


— Set Interrupt-Enable Flag 



These instructions are called "sensitive" instructions, because they are sensitive to the 
lOPL field. In virtual-8086 mode, lOPL is not used; only the I/O permission bit map 
limits access to I/O ports (see Chapter 15). 

To use sensitive instructions, a procedure must run at a privilege level at least as privi- 
leged as that specified by the lOPL field. Any attempt by a less privileged procedure to 
use a sensitive instruction results in a general-protection exception. Because each task 
has its own copy of the EFLAGS register, each task can have a different lOPL. 

A task can change lOPL only with the POPF instruction; however, such changes are 
privileged. No procedure may changer its lOPL unless it is running at privilege level 0. 
An attempt by a less privileged procedure to change the lOPL does not result in an 
exception; the lOPL simply remains unchanged. 

The POPF instruction also may be used to change the state of the IF flag (as can the 
CLI and STI instructions); however, changes to the IF flag using the POPF instruction 
are lOPL-sensitive. A procedure may change the setting of the IF flag with a POPF 
instruction only if it runs with a CPL at least as privileged as the lOPL. An attempt by a 
less privileged procedure to change the IF flag does not result in an exception; the IF 
flag simply remains unchanged. 



8.3.2 I/O Permission Bit Map 

The 386 DX microprocessor can generate exceptions for references to specific I/O ad- 
dresses. These addresses are specified in the I/O permission bit map in the TSS (see 
Figure 8-2). The size of the map and its location in the TSS are variable. The processor 
finds the I/O permission bit map with the I/O map base address in the TSS. The base 
address is a 16-bit offset into the TSS. This is an offset to the beginning of the bit map. 
The limit of the TSS is the limit on the size of the I/O permission bit map. 

Because each task has its own TSS, each task has its own I/O permission bit map. Access 
to individual I/O ports can be granted to individual tasks. 

If the CPL and lOPL allow I/O instructions to execute, the processor checks the I/O 
permission bit map. Each bit in the map corresponds to an I/O port byte address; for 
example, the control bit for address 41 (decimal) in the I/O address space is found at bit 
position 1 of the sixth byte in the bit map. The processor tests all the bits corresponding 
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Figure 8-2. I/O Permission Bit IVIap 

to the I/O port being addressed; for example, a doubleword operation tests four bits 
corresponding to four adjacent byte addresses. If any tested bit is set, a general- 
protection exception is generated. If all tested bits are clear, the I/O operation proceeds. 

Because I/O ports which are not aligned to word and doubleword boundaries are per- 
mitted, it is possible that the processor may need to access two bytes in the bit map when 
I/O permission is checked. For maximum speed, the processor has been designed to read 
two bytes for every access to an I/O port. To prevent exceptions from being generated 
when the ports with the highest addresses are accessed, an extra byte needs to come 
after the table. This byte must have all of its bits set, and it must be within the segment 
limit. 

It is not necessary for the I/O permission bit map to represent all the I/O addresses. I/O 
addresses not spanned by the map are treated as if they had set bits in the map. For 
example, if the TSS segment limit is 10 bytes past the bit map base address, the map has 
11 bytes and the first 80 I/O ports are mapped. Higher addresses in the I/O address 
space generate exceptions. 

If the I/O bit map base address is greater than or equal to the TSS segment limit, there 
is no I/O permission map, and all I/O instructions generate exceptions. The base address 
must be less than or equal to ODFFFH. 
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CHAPTERS 
EXCEPTIONS AND INTERRUPTS 

Exceptions and interrupts are forced transfers of execution to a task or a procedure. The 
task or procedure is called a handler. Interrupts occur at random times during the exe- 
cution of a program, in response to signals from hardware. Exceptions occur when in- 
structions are executed which provoke exceptions. Usually, the servicing of interrupts 
and exceptions is performed in a manner transparent to application programs. Interrupts 
are used to handle events external to the processor, such as requests to service periph- 
eral devices. Exceptions handle conditions detected by the processor in the course of 
executing instructions, such division by 0. 

There two sources for interrupts and two sources for exceptions: 

1. Interrupts 

® Maskable interrupts, which are received on the INTR input of the 386™ DX 
microprocessor. Maskable interrupts do not occur unless the interrupt-enable 
flag (IF) is set. 

® Nonmaskable interrupts, which are received on the NMI (Non-Maskable Inter- 
rupt) input of the processor. The processor does not provide a mechanism to 
prevent nonmaskable interrupts. 

2. Exceptions 

® Processor-detected exceptions. These are further classified as faults, traps, and 
aborts. 

® Programmed exceptions. The INTO, INT 3, INT n, and BOUND instructions 
may trigger exceptions. These instructions often are called "software interrupts," 
but the processor handles them as exceptions. 

This chapter explains the features of the 386 DX microprocessor which control and 
respond to interrupts. 



9.1 EXCEPTION AND INTERRUPT VECTORS 

The processor associates an identifying number with each different type of interrupt or 
exception. This number is called a vector. 

The NMI interrupt and the exceptions are assigned vectors in the range through 31. 
Not all of these vectors are currently used in the Intel386™ architecture; unassigned 
vectors in this range are reserved for possible future uses. Do not use unassigned vectors. 

The vectors for maskable interrupts are determined by hardware. External interrupt 
controllers (such as Intel's 825 9A Programmable Interrupt Controller) put the vector on 
the bus of the 386 DX microprocessor during its interrupt-acknowledge cycle. Any vec- 
tors in the range 32 through 255 can be used. Table 9-1 shows the assignment of excep- 
tion and interrupt vectors. 
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Table 9-1. Exception and Interrupt Vectors 



Vector Number 


Description 





Divide Error 


1 


Debug Exception 


2 


NMI Interrupt 


3 


Breakpoint 


4 


INTO-detected Overflow 


5 


BOUND Range Exceeded 


6 


Invalid Opcode 


7 


Coprocessor Not Available 


8 


Double Fault 


9 


Coprocessor Segment Overrun 


10 


Invalid Task State Segment 


11 


Segment Not Present 


12 


Stack Fault 


13 


General Protection 


14 


Page Fault 


15 


(Intel® reserved. Do not use.) 


16 


Coprocessor Error 


17-31 


(Intel reserved. Do not use.) 


32-255 


Maskable Interrupts 



Exceptions are classified ^s faults, traps, or aborts dQp&nding on the way they are re- 
ported and whether restart of the instruction which caused the exception is supported. 

Faults A fault is an exception which is reported at the instruction boundary prior to 
the instruction in which the exception was detected. The fault is reported 
with the machine restored to a state which permits the instruction to be 
restarted. The return address for the fault handler points to the instruction 
which generated the fault, rather than the instruction following the faulting 
instruction. 

Traps A trap is an exception which is reported at the instruction boundary immedi- 
ately after the instruction in which the exception was detected. 

Aborts An abort is an exception which does not always report the location of the 
instruction causing the exception and does not allow restart of the program 
which caused the exception. Aborts are used to report severe errors, such as 
hardware errors and inconsistent or illegal values in system tables. 



9.2 INSTRUCTION RESTART 

For most exceptions and interrupts, transfer of execution does not take place until the 
end of the current instruction. This leaves the EIP register pointing at the instruction 
which comes after the instruction which was being executed when the exception or in- 
terrupt occurred. If the instruction has a repeat prefix, transfer takes place at the end of 
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the current iteration with the registers set to execute the next iteration. But if the excep- 
tion is a fauk, the processor registers are restored to the state they held before execution 
of the instruction began. This permits instruction restart. 

Instruction restart is used to handle exceptions which block access to operands. For 
example, an application program could make reference to data in a segment which is not 
present in memory. When the exception occurs, the exception handler must load the 
segment (probably from a hard disk) and resume execution beginning with the instruc- 
tion which caused the exception. At the time the exception occurs, the instruction may 
have altered the contents of some of the processor registers. If the instruction read an 
operand from the stack, it is necessary to restore the stack pointer to its previous value. 
All of these restoring operations are performed by the processor in a manner completely 
transparent to the application program. 

When a fault occurs, the EIP register is restored to point to the instruction which re- 
ceived the exception. When the exception handler returns, execution resumes with this 
instruction. 



9.3 ENABLING AND DISABLING INTERRUPTS 

Certain conditions and flag settings cause the processor to inhibit certain kinds of inter- 
rupts and exceptions. 



9.3.1 NMI Masks Further NMIs 

While an NMI interrupt handler is executing, the processor disables additional calls to 
the procedure or task which handles the interrupt until the next IRET instruction is 
executed. This prevents stacking up calls to the interrupt handler. 



9.3.2 IF Masks INTR 

The IF flag can turn off servicing of interrupts received on the INTR pin of the proces- 
sor. When the IF flag is clear, INTR interrupts are ignored; when the IF flag is set, 
INTR interrupts are serviced. As with the other flag bits, the processor clears the IF flag 
in response to a RESET signal. The STI and CLI instructions set and clear the IF flag. 

CLI (Clear Interrupt-Enable Flag) and STI (Set Interrupt-Enable Flag) put the IF flag 
(bit 9 in the EFLAGS register) in a known state. These instructions may be executed 
only if the CPL is an equal or more privileged level than the lOPL. A general-protection 
exception is generated if they are executed with a lesser privileged level. 

The IF flag also is affected by the following operations: 

• The PUSHF instruction stores all flags on the stack, where they can be examined and 
modified. The POPF instruction can be used to load the modified form back into the 
EFLAGS register. 
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Task switches and the POPF and IRET instructions load the EFLAGS register; 
therefore, they can be used to modify the setting of the IF flag. 

Interrupts through interrupt gates automatically clear the IF flag, which disables in- 
terrupts. (Interrupt gates are explained later in this chapter.) 



9.3.3 RF Masks Debug Faults 

The RF flag in the EFLAGS register can be used to turn off servicing of debug faults. If 
it is clear, debug faults are serviced; if it is set, they are ignored. This is used to suppress 
multiple calls to the debug exception handler when a breakpoint occurs. 

For example, an instruction breakpoint may have been set for an instruction which ref- 
erences data in a segment which is not present in memory. When the instruction is 
executed for the first time, the breakpoint generates a debug exception. Before the 
debug handler returns, it should set the RF flag in the copy of the EFLAGS register 
saved on the stack. This allows the segment-not-present fault to be reported after the 
debug exception handler transfers execution back to the instruction. If the flag is not set, 
another debug exception occurs after the debug exception handler returns. 

The processor sets the RF bit in the saved contents of the EFLAGS register when the 
other faults occur, so multiple debug exceptions are not generated when the instruction 
is restarted due to the segment-not-present fault. The processor clears its RF flag when 
the execution of the faulting instruction completes. This allows an instruction breakpoint 
to be generated for the following instruction. (See Chapter 12 for more information on 
debugging.) 



9.3.4 MOV or POP to SS Masks Some Exceptions and Interrupts 

Software which needs to change stack segments often uses a pair of instructions; for 
example: 

nov SS, AX 

nOV ESP, StackTop 

If an interrupt or exception occurs after the segment selector has been loaded but before 
the ESP register has been loaded, these two parts of the logical address into the stack 
space are inconsistent for the duration of the interrupt or exception handler. 

To prevent this situation, the 386 DX microprocessor inhibits interrupts, debug excep- 
tions, and single-step trap exceptions after either a MOV to SS instruction or a POP to 
SS instruction, until the instruction boundary following the next instruction is reached. 
General-protection faults may still be generated. If the LSS instruction is used to modify 
the contents of the SS register, the problem does not occur. 
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9.4 PRIORITY AMONG SIMULTANEOUS EXCEPTIONS AND 
INTERRUPTS 

If more than one exception or interrupt is pending at an instruction boundary, the pro- 
cessor services them in a predictable order. The priority among classes of exception and 
interrupt sources is shown in Table 9-2. The processor first services a pending exception 
or interrupt from the class which has the highest priority, transferring execution to the 
first instruction of the handler. Lower priority exceptions are discarded; lower priority 
interrupts are held pending. Discarded exceptions are re-issued when the interrupt han- 
dler returns execution to the point of interruption. 



9.5 INTERRUPT DESCRIPTOR TABLE 

The interrupt descriptor table (IDT) associates each exception or interrupt vector with a 
descriptor for the procedure or task which services the associated event. Like the GDT 
and LDTs, the IDT is an array of 8-byte descriptors. Unlike the GDT, the first entry of 
the IDT may contain a descriptor. To form an index into the IDT, the processor scales 
the exception or interrupt vector by eight, the number of bytes in a descriptor. Because 
there are only 256 vectors, the IDT need not contain more than 256 descriptors. It can 
contain fewer than 256 descriptors; descriptors are required only for the interrupt vec- 
tors which may occur. 

The IDT may reside anywhere in physical memory. As Figure 9-1 shows, the processor 
locates the IDT using the IDTR register. This register holds both a 32-bit base address 
and 16-bit limit for the IDT. The LIDT and SIDT instructions load and store the con- 
tents of the IDTR register. Both instructions have one operand, which is the address of 
six bytes in memory. 

If a vector references a descriptor beyond the limit, the processor enters shutdown 
mode. In this mode, the processor stops executing instructions until an NMI interrupt is 
received or reset initialization is invoked. The processor generates a special bus cycle to 
indicate it has entered shutdown mode. Software designers may need to be aware of the 
response of hardware to receiving this signal. For example, hardware may turn on an 
indicator light on the front panel, generate an NMI interrupt to record diagnostic infor- 
mation, or invoke reset initialization. 



Table 9-2. Priority Among Simultaneous Exceptions and Interrupts 


Priority 


Description 


Highest 


Faults except debug faults 




Trap instructions INTO, INT n, INT 3 




Debug traps for this instruction 




Debug traps for next instruction 




NMI interrupt 


Lowest 


INTR interrupt 



9-5 



intel' 



EXCEPTIONS AND INTERRUPTS 



47 



IDTR REGISTER 

16 15 



IDT BASE ADDRESS 



IDT LIMIT 



INTERRUPT DESCRIPTOR TABLE 






GATE FOR 


INTERRUPT #N 




GATE FOR 


INTERRUPT #3 


GATE FOR 


INTERRUPT #2 


GATE FOR 


INTERRUPT #1 



Figure 9-1. IDTR Register Locates IDT in Memory 

LIDT (Load IDT register) loads the IDTR register with the base address and Hmit held 
in the memory operand. This instruction can be executed only when the CPL is 0. It 
normally is used by the initialization code of an operating system when creating an IDT. 
An operating system also may use it to change from one IDT to another. 

SIDT (Store IDT register) copies the base and limit value stored in IDTR to memory. 
This instruction can be executed at any privilege level. 



9.6 IDT DESCRIPTORS 

The IDT may contain any of three kinds of descriptors: 

• Task gates 

• Interrupt gates 

• Trap gates 



9-6 



intel' 



EXCEPTIONS AND INTERRUPTS 



Figure 9-2 shows the format of task gates, interrupt gates, and trap gates. (The task gate 
in an IDT is the same as the task gate in the GDT or an LDT already discussed in 
Chapter 7.) 



TASK GATE 
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1 
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4 3 


1 1 1 

2 10 9 8 


7 


RESERVED 


P 
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P 
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Figure 9-2. IDT Gate Descriptors 
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9.7 INTERRUPT TASKS AND INTERRUPT PROCEDURES 

Just as a CALL instruction can call either a procedure or a task, so an exception or 
interrupt can "call" an interrupt handler as either a procedure or a task. When respond- 
ing to an exception or interrupt, the processor uses the exception or interrupt vector to 
index to a descriptor in the IDT. If the processor indexes to an interrupt gate or trap 
gate, it calls the handler in a manner similar to a CALL to a call gate. If the processor 
finds a task gate, it causes a task switch in a manner similar to a CALL to a task gate. 

9.7.1 Interrupt Procedures 

An interrupt gate or trap gate indirectly references a procedure which runs in the con- 
text of the currently executing task, as shown in Figure 9-3. The selector of the gate 
points to an executable-segment descriptor in either the GDT or the current LDT. The 
offset field of the gate descriptor points to the beginning of the exception or interrupt 
handling procedure. 

The 386 DX microprocessor calls an exception or interrupt handling procedure in much 
the same manner as a procedure call; the differences are explained in the following 
sections. 

9.7.1.1 STACK OF INTERRUPT PROCEDURE 

Just as with a transfer of execution using a CALL instruction, a transfer to an exception 
or interrupt handling procedure uses the stack to store the processor state. As Figure 9-4 
shows, an interrupt pushes the contents of the EFLAGS register onto the stack before 
pushing the address of the interrupted instruction. 

Certain types of exceptions also push an error code on the stack. An exception handler 
can use the error code to help diagnose the exception. 

9.7.1.2 RETURNING FROM AN INTERRUPT PROCEDURE 

An interrupt procedure differs from a normal procedure in the method of leaving the 
procedure. The IRET instruction is used to exit from an interrupt procedure. The IRET 
instruction is similar to the RET instruction except that it increments the contents of the 
EIP register by an extra four bytes and restores the saved flags into the EFLAGS regis- 
ter. The lOPL field of the EFLAGS register is restored only if the CPL is 0. The IF flag 
is changed only if CPL < lOPL. 

9.7.1.3 FLAG USAGE BY INTERRUPT PROCEDURE 

Interrupts using either interrupt gates or trap gates cause the TF flag to be cleared after 
its current value is saved on the stack as part of the saved contents of the EFLAGS 
register. In so doing, the processor prevents instruction tracing from affecting interrupt 
response. A subsequent IRET instruction restores the TF flag to the value in the saved 
contents of the EFLAGS register on the stack. 
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Figure 9-3. Interrupt Procedure Call 

The difference between an interrupt gate and a trap gate is its effect on the IF flag. An 
interrupt which uses an interrupt gate clears the IF flag, which prevents other interrupts 
from interfering with the current interrupt handler. A subsequent IRET instruction re- 
stores the IF flag to the value in the saved contents of the EFLAGS register on the 
stack. An interrupt through a trap gate does not change the IF flag. 

9.7.1.4 PROTECTION IN INTERRUPT PROCEDURES 

The privilege rule which governs interrupt procedures is similar to that for procedure 
calls: the processor does not permit an interrupt to transfer execution to a procedure in 
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Figure 9-4. Stack Frame after Exception or Interrupt 

a less privileged segment (numerically greater privilege level). An attempt to violate this 
rule results in a general-protection exception. 

Because interrupts generally do not occur at predictable times, this privilege rule effec- 
tively imposes restrictions on the privilege levels at which exception and interrupt han- 
dling procedures can run. Either of the following techniques can be used to keep the 
privilege rule from being violated. 

© The exception or interrupt handler can be placed in a conforming code segment. This 
technique can be used by handlers for certain exceptions (divide error, for example). 
These handlers must use only the data available on the stack. If the handler needs 
data from a data segment, the data segment would have to have privilege level 3, 
which would make it unprotected. 

« The handler can be placed in a code segment with privilege level 0. This handler 
would always run, no matter what CPL the program has. 
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9.7,2 Interrupt Tasks 

A task gate in the IDT indirectly references a task, as Figure 9-5 illustrates. The segment 
selector in the task gate addresses a TSS descriptor in the GDT. 

When an exception or interrupt calls a task gate in the IDT, a task switch results. 
Handling an interrupt with a separate task offers two advantages: 

® The entire context is saved automatically. 

e The interrupt handler can be isolated from other tasks by giving it a separate address 
space. This is done by giving it a separate LDT. 
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Figure 9-5. Interrupt Task Switch 
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A task switch caused by an interrupt operates in the same manner as the other task 
switches described in Chapter 7. The interrupt task returns to the interrupted task by 
executing an IRET instruction. 

Some exceptions return an error code. If the task switch is caused by one of these, the 
processor pushes the code onto the stack corresponding to the privilege level of the 
interrupt handler. 

When interrupt tasks are used in an operating system for the 386 DX microprocessor, 
there are actually two mechanisms which can create new tasks: the software scheduler 
(part of the operating system) and the hardware scheduler (part of the processor's inter- 
rupt mechanism). The software scheduler needs to accommodate interrupt tasks which 
may be generated when interrupts are enabled. 



9.8 ERROR CODE 



With exceptions related to a specific segment, the processor pushes an error code onto 
the stack of the exception handler (whether it is a procedure or task). The error code 
has the format shown in Figure 9-6. The error code resembles a segment selector; how- 
ever instead of an RPL field, the error code contains two one-bit fields: 

1. The processor sets the EXT bit if an event external to the program caused the 
exception. 

2. The processor sets the IDT bit if the index portion of the error code refers to a gate 
descriptor in the IDT. 

If the IDT bit is not set, the TI bit indicates whether the error code refers to the GDT 
(TI bit clear) or to the LDT (TI bit set). The remaining 14 bits are the upper bits of the 
selector for the segment. In some cases the error code is null (i.e., all bits in the lower 
word are clear). 

The error code is pushed on the stack as a doubleword. This is done to keep the stack 
aligned on addresses which are multiples of four. The upper half of the doubleword is 
reserved. 
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Figure 9-6. Error Code 
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9.9 EXCEPTION CONDITIONS 

The following sections describe conditions which generate exceptions. Each description 
classifies the exception as a fault, trap, or abort. This classification provides information 
needed by system programmers for restarting the procedure in which the exception 
occurred: 

Faults The saved contents of the CS and EIP registers point to the instruction which 
generated the fault. 

Traps The saved contents of the CS and EIP registers stored when the trap occurs 
point to the instruction to be executed after the instruction which generated 
the trap. If a trap is detected during an instruction which transfers execution, 
the saved contents of the CS and EIP registers reflect the transfer. For exam- 
ple, if a trap is detected in a JMP instruction, the saved contents of the CS 
and EIP registers point to the destination of the JMP instruction, not to the 
instruction at the next address above the JMP instruction. 

Aborts An abort is an exception which permits neither precise location of the in- 
struction causing the exception nor restart of the program which caused the 
exception. Aborts are used to report severe errors, such as hardware errors 
and inconsistent or illegal values in system tables. 



9-9.1 Interrupt 0- Divide Error 

The divide-error fault occurs during a DIV or an IDIV instruction when the divisor is 0. 

9.9.2 Interrupt 1 -Debug Exceptions 

The processor generates a debug exception for a number of conditions; whether the 
exception is a fault or a trap depends on the condition, as shown below: 

• Instruction address breakpoint fault 

• Data address breakpoint trap 
o General detect fault 

• Single-step trap 

• Task-switch breakpoint trap 

The processor does not push an error code for this exception. An exception handler can 
examine the debug registers to determine which condition caused the exception. See 
Chapter 12 for more detailed information about debugging and the debug registers. 
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9.9.3 Interrupt 3 ~ Breakpoint 

The INT 3 instruction generates a breakpoint trap. The INT 3 instruction is one byte 
long, which makes it easy to replace an opcode in a code segment in RAM with the 
breakpoint opcode. The operating system or a debugging tool can use a data segment 
mapped to the same physical address space as the code segment to place an INT 3 
instruction in places where it is desired to call the debugger. Debuggers use breakpoints 
as a way to suspend program execution in order to examine registers, variables, etc. 

The saved contents of the CS and EIP registers point to the byte following the break- 
point. If a debugger allows the suspended program to resume execution, it replaces the 
INT 3 instruction with the original opcode at the location of the breakpoint, and it 
decrements the saved contents of the EIP register before returning. See Chapter 12 for 
more information on debugging. 

9.9.4 Interrupt 4 -Overflow 

The overflow trap occurs when the processor executes an INTO instruction with the OF 
flag set. Because signed and unsigned arithmetic both use some of the same instructions, 
the processor cannot determine when overflow actually occurs. Instead, it sets the OF 
flag when the results, if interpreted as signed numbers, would be out of range. When 
doing arithmetic on signed operands, the OF flag can be tested directly or the INTO 
instruction can be used. 



9.9.5 Interrupt 5 -Bounds Check 

The bounds-check fault is generated when the processor, while executing a BOUND 
instruction, finds that the operand exceeds the specified limits. A program can use the 
BOUND instruction to check a signed array index against signed limits defined in a 
block of memory. 

9.9.6 Interrupt 6- Invalid Opcode 

The invalid-opcode fault is generated when an unreserved invalid opcode is detected by 
the execution unit. (The exception is not detected until an attempt is made to execute 
the invalid opcode; i.e., prefetching an invaUd opcode does not cause this exception.) No 
error code is pushed on the stack. The exception can be handled within the same task. 

This exception also occurs when the type of operand is invalid for the given opcode. 
Examples include an intersegment JMP instruction using a register operand, or an LES 
instruction with a register source operand. 

A third condition which generates this exception is the use of the LOCK prefix with an 
instruction which may not be locked. Only certain instructions may be used with bus 
locking, and only forms of these instructions which write to a destination in memory may 
be used. All other uses of the LOCK prefix generate an invalid-opcode exception. 
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The following is a list of undefined opcodes that are reserved by Intel. These opcodes do 
not generate interrupt 6. 

Intel reserved opcodes (single byte) 

82 

D6 

Fl 

Intel reserved opcodes (two byte) 

OF 07 
OF 10 
OF 11 
OF 12 
OF 13 
F6 XX 
F7 XX 

CO XX 
CI XX 
DO XX 
Dl XX 
D2 XX 
D3 XX 



9.9.7 Interrupt 7 -Coprocessor Not Available 

The coprocessor-not-available fault is generated by either of tv^o conditions: 

• The processor executes an ESC instruction, and the EM bit of the CRO register is set. 

o The processor executes a WAIT instruction or an ESC instruction, and both the MP 
bit and the TS bit of the CRO register are set. 

See Chapter 11 for more information about the coprocessor interface. 



9.9.8 Interrupt 8 -Double Fault 

Normally, when the processor detects an exception while trying to call the handler for a 
prior exception, the two exceptions can be handled serially. If, however, the processor 
cannot handle them serially, it signals the double-fault exception instead. To determine 
when two faults are to be signalled as a double fault, the 386 DX microprocessor divides 
the exceptions into three classes: benign exceptions, contributory exceptions, and page 
faults. Table 9-3 shows this classification. 
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Table 9-3. Interrupt and Exception Classes 



Class 


Vector Number 


Description 


Benign 
Exceptions 
and Interrupts 


1 
2 
3 
4 
5 
6 
7 
16 


Debug Exceptions 
NMI Interrupt 
Breakpoint 
Overflow 
Bounds Check 
Invalid Opcode 
Coprocessor Not Available 
Coprocessor Error 


Contributory 
Exceptions 



9 
10 
11 
12 
13 


Divide Error 

Coprocessor Segment Overrun 

Invalid TSS 

Segment Not Present 

Stack Fault 

General Protection 


Page Faults 


14 


Page Fault 



When two benign exceptions or interrupts occur, or one benign and one contributory, 
the two events can be handled in succession. When two contributory events occur, they 
cannot be handled, and a double-fault exception is generated. 

If a benign or contributory exception is followed by a page fault, the two events can be 
handled in succession. This is also true if a page fault is followed by a benign exception. 
However if a page fault is followed by a contributory exception or another page fault, a 
double-fault abort is generated. 

The processor always pushes an error code onto the stack of the double-fault handler; 
however, the error code is always 0. The faulting instruction may not be restarted. If any 
other exception occurs while attempting to call the double-fault handler, the processor 
enters shutdown mode. This mode is similar to the state following execution of a HLT 
instruction. No instructions are executed until an NMI interrupt or a RESET signal is 
received. The processor generates a special bus cycle to indicate it has entered shutdown 
mode. 



9.9.9 Interrupt 9 -Coprocessor Segment Overrun 

The coprocessor-segment overrun abort is generated if the middle portion of a coproces- 
sor operand is protected or not-present. This exception can be avoided. See Chapter 11 
for more information about the coprocessor interface. 



9.9.10 Interrupt 10-lnvalid TSS 

An invalid-TSS fault is generated if a task switch to a segment with an invalid TSS is 
attempted. A TSS is invalid in the cases shown in Table 9-4. An error code is pushed 
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Table 9-4. Invalid TSS Conditions 



Error Code Index 


Description 


TSS segment 
LDT segment 
Stack segment 
Stack segment 
Stack segment 
Stack segment 
Code segment 
Code segment 
Code segment 
Code segment 
Data segment 
Data segment 


TSS segment limit less than 67H 

Invalid LDT or LDT not present 

Stack segment selector exceeds descriptor table limit 

Stack segment is not writable 

Stack segment DPL not compatible with CPL 

Stack segment selector RPL not compatible with CPL 

Code segment selector exceeds descriptor table limit 

Code segment is not executable 

Non-conforming code segment DPL not equal to CPL 

Conforming code segment DPL greater than CPL 

Data segment selector exceeds descriptor table limit 

Data segment not readable 



onto the stack of the exception handler to help identify the cause of the fault. The EXT 
bit indicates whether the exception was caused by a condition outside the control of the 
program (e.g., if an external interrupt using a task gate attempted a task switch to an 
invalid TSS). 

This fault can occur either in the context of the original task or in the context of the new 
task. Until the processor has completely verified the presence of the new TSS, the ex- 
ception occurs in the context of the original task. Once the existence of the new TSS is 
verified, the task switch is considered complete; i.e., the TR register is loaded with a 
selector for the new TSS and, if the switch is due to a CALL or interrupt, the Link field 
of the new TSS references the old TSS. Any errors discovered by the processor after this 
point are handled in the context of the new task. 

To ensure a TSS is available to process the exception, the handler for an invalid-TSS 
exception must be a task called using a task gate. 



9.9.11 Interrupt 11 -Segment Not Present 

The segment-not-present fault is generated when the processor detects that the present 
bit of a descriptor is clear. The processor can generate this fault in any of these cases: 

9 While attempting to load the CS, DS, ES, FS, or GS registers; loading the SS register, 
however, causes a stack fault. 

© While attempting to load the LDT register using an LLDT instruction; loading the 
LDT register during a task switch operation, however, causes an invalid-TSS 
exception. 

9 While attempting to use a gate descriptor which is marked segment-not-present. 

This fault is restartable. If the exception handler loads the segment and returns, the 
interrupted program resumes execution. 
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If a segment-not-present exception occurs during a task switch, not all the steps of the 
task switch are complete. During a task switch, the processor first loads all the segment 
registers, then checks their contents for validity. If a segment-not-present exception is 
discovered, the remaining segment registers have not been checked and therefore may 
not be usable for referencing memory. The segment-not-present handler should not rely 
on being able to use the segment selectors found in the CS, SS, DS, ES, FS, and GS 
registers without causing another exception. The exception handler should check all 
segment registers before trying to resume the new task; otherwise, general protection 
faults may result later under conditions which make diagnosis more difficult. There are 
three ways to handle this case: 

1. Handle the segment-not-present fault with a task. The task switch back to the inter- 
rupted task causes the processor to check the registers as it loads them from 
the TSS. 

2. Use the PUSH and POP instructions on all segment registers. Each POP instruction 
causes the processor to check the new contents of the segment register. 

3. Check the saved contents of each segment register in the TSS, simulating the test 
which the processor makes when it loads a segment register. 

This exception pushes an error code onto the stack. The EXT bit of the error code is set 
if an event external to the program caused an interrupt which subsequently referenced a 
not-present segment. The IDT bit is set if the error code refers to an IDT entry (e.g., an 
INT instruction referencing a not-present gate). 

An operating system typically uses the segment-not-present exception to implement vir- 
tual memory at the segment level. A not-present indication in a gate descriptor, however, 
usually does not indicate that a segment is not present (because gates do not necessarily 
correspond to segments). Not-present gates may be used by an operating system to 
trigger exceptions of special significance to the operating system. 



9.9.12 Interrupt 12 -Stack Exception 

A stack fault is generated under two conditions: 

o As a result of a limit violation in any operation which refers to the SS register. This 
includes stack-oriented instructions such as POP, PUSH, ENTER, and LEAVE, as 
well as other memory references which implicitly use the stack (for example, MOV 
AX, [BP + 6]). The ENTER instruction generates this exception when there is too 
little space for allocating local variables. 

• When attempting to load the SS register with a descriptor which is marked segment- 
not-present but is otherwise valid. This can occur in a task switch, a CALL instruction 
to a different privilege level, a return to a different privilege level, an LSS instruction, 
or a MOV or POP instruction to the SS register. 

9-18 



iny' 



EXCEPTIONS AND INTERRUPTS 



When the processor detects a stack exception, it pushes an error code onto the stack of 
the exception handler. If the exception is due to a not-present stack segment or to 
overflow of the new stack during an interlevel CALL, the error code contains a selector 
to the segment which caused the exception (the exception handler can test the present 
bit in the descriptor to determine which exception occurred); otherwise, the error code 
isO. 

An instruction generating this fault is restartable in all cases. The return address pushed 
onto the exception handler's stack points to the instruction which needs to he restarted. 
This instruction usually is the one which caused the exception; however, in the case of a 
stack exception from loading a not-present stack-segment descriptor during a task 
switch, the indicated instruction is the first instruction of the new task. 

When a stack exception occurs during a task switch, the segment registers may not be 
usable for addressing memory. During a task switch, the selector values are loaded be- 
fore the descriptors are checked. If a stack exception is generated, the remaining seg- 
ment registers have not been checked and may cause exceptions if they are used. The 
stack fault handler should not expect to use the segment selectors found in the CS, SS, 
DS, ES, FS, and GS registers without causing another exception. The exception handler 
should check all segment registers before trying to resume the new task; otherwise, 
general protection faults may result later under conditions where diagnosis is more 
difficult. 



9.9.13 Interrupt 13- General Protection 

All protection violations which do not cause another exception cause a general- 
protection exception. This includes (but is not limited to): 

© Exceeding the segment limit when using the CS, DS, ES, FS, or GS segments. 

® Exceeding the segment limit when referencing a descriptor table. 

® Transferring execution to a segment which is not executable. 

© Writing to a read-only data segment or a code segment. 

© Reading from an execute-only code segment. 

© Loading the SS register with a selector for a read-only segment (unless the selector 
comes from a TSS during a task switch, in which case an invalid-TSS exception 
occurs). 

© Loading the SS, DS, ES, FS, or GS register with a selector for a system segment. 

® Loading the DS, ES, FS, or GS register with a selector for an execute-only code 
segment. 

© Loading the SS register with the selector of an executable segment. 

© Accessing memory using the DS, ES, FS, or GS register when it contains a null 
selector. 

© Switching to a busy task. 

© Violating privilege rules. 
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• Exceeding the instruction length limit of 15 bytes (this only can occur when redun- 
dant prefixes are placed before an instruction). 

• Loading the CRO register with a set PG bit (paging enabled) and a clear PE bit 
(protection disabled). 

© Interrupt or exception through an interrupt or trap gate from virtual-8086 mode to a 
handler at a privilege level other than 0. 

The general-protection exception is a fault. In response to a general-protection excep- 
tion, the processor pushes an error code onto the exception handler's stack. If loading a 
descriptor causes the exception, the error code contains a selector to the descriptor; 
otherwise, the error code is null. The source of the selector in an error code may be any 
of the following: 

1. An operand of the instruction. 

2. A selector from a gate which is the operand of the instruction. 

3. A selector from a TSS involved in a task switch. 



9.9.14 Interrupt 14-Page Fault 

A page fault occurs when paging is enabled (the PG bit in the CRO register is set) and 
the processor detects one of the following conditions while translating a linear address to 
a physical address: 

• The page-directory or page-table entry needed for the address translation has a clear 
Present bit, which indicates that a page table or the page containing the operand is 
not present in physical memory. 

® The procedure does not have sufficient privilege to access the indicated page. 

The processor provides the page fault handler two items of information which aid in 
diagnosing the exception and recovering from it: 

• An error code on the stack. The error code for a page fault has a format different 
from that for other exceptions (see Figure 9-7). The error code tells the exception 
handler three things: 

1. Whether the exception was due to a not-present page or to an access rights 
violation. 

2. Whether the processor was executing at user or supervisor level at the time of 
the exception. 

3. Whether the memory access which caused the exception was a read or write. 

• The contents of the CR2 register. The processor loads the CR2 register with the 
32-bit linear address which generated the exception. The exception handler can use 
this address to locate the corresponding page directory and page table entries. If 
another page fault can occur during execution of the page fault handler, the handler 
should push the contents of the CR2 register onto the stack. 
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Field 


Value 


Description 


U/S 





The access causing the fault originated when the 








processor was executing in supervisor mode. 








1 


The access causing the fault originated when the 
processor was executing in user mode. 






W/R 



1 


The access causing the fault was a read. 
The access causing the fault was a write. 






P 




1 


The fault was caused by a not-present page. 

The fault was caused by a page-level protection violation. 




3 


1 


,15 7 3 2 10 


240331 i 


WM 


//yy^yy^ p 











Figure 9-7. Page Fault Error Code 

9.9.14.1 PAGE FAULT DURING TASK SWITCH 

These operations during a task switch cause access to memory: 

1. Write the state of the original task in the TSS of that task. 

2. Read the GDT to locate the TSS descriptor of the new task. 

3. Read the TSS of the new task to check the types of segment descriptors from 
the TSS. 

4. May read the LDT of the new task in order to verify the segment registers stored in 
the new TSS. 

A page fault can result from accessing any of these operations. In the last two cases the 
exception occurs in the context of the new task. The instruction pointer refers to the next 
instruction of the new task, not to the instruction which caused the task switch (or the 
last instruction to be executed, in the case of an interrupt). If the design of the operating 
system permits page faults to occur during task-switches, the page-fault handler should 
be called through a task gate. 

9.9.14.2 PAGE FAULT WITH INCONSISTENT STACK POINTER 

Special care should be taken to ensure that a page fault does not cause the processor to 
use an invalid stack pointer (SS:ESP). Software written for Intel® 16-bit processors often 
uses a pair of instructions to change to a new stack; for example: 

flDV SS, AX 

PIDV SP, StackTop 



9-21 



intel^ 



EXCEPTIONS AND INTERRUPTS 



With the 386 DX microprocessor, because the second instruction accesses memory, it is 
possible to get a page fault after the selector in the SS segment register has been 
changed but before the contents of the SP register have received the corresponding 
change. At this point, the two parts of the stack pointer SS:SP (or, for 32-bit programs, 
SS:ESP) are inconsistent. The new stack segment is being used with the old stack 
pointer. 

The processor does not use the inconsistent stack pointer if the handling of the page 
fault causes a stack switch to a well defined stack (i.e., the handler is a task or a more 
privileged procedure). However, if the page fault handler is called by a trap or interrupt 
gate and the page fault occurs at the same privilege level as the page fault handler, the 
processor will attempt to use the stack indicated by the inconsistent stack pointer. 

In systems which use paging and handle page faults within the faulting task (with trap or 
interrupt gates), software executing at the same privilege level as the page fault handler 
should initialize a new stack by using the LSS instruction rather than an instruction pair 
shown above. When the page fault handler is running at privilege level (the normal 
case), the problem is limited to programs which run at privilege level 0, typically the 
kernel of the operating system. 

9.9.15 Interrupt 16- Coprocessor Error 

A coprocessor-error fault is generated when the processor detects a signal from the 
387™ DX numerics coprocessor on the ERROR# pin. If the EM bit of the CRO register 
is clear (no emulation), the processor tests this pin at the beginning of certain ESC 
instructions or when it executes a WAIT instruction. See Chapter 11 for more informa- 
tion on the coprocessor interface. 
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9.10 EXCEPTION SUMMARY 

Table 9-5 summarizes the exceptions recognized by the 386 DX microprocessor. 

Table 9-5. Exception Summary 







Return Address 






Description 


Vector 
Number 


Points to Faulting 
Instruction? 


Exception 
Type 


Source of the 
Exception 


Division by Zero 





Yes 


FAULT 


DIV and IDIV 
instructions 


Debug Exceptions 


1 


1 


1 


Any code or data 
reference 


Breakpoint 


3 


No 


TRAP 


INT 3 instruction 


Overflow 


4 


No 


TRAP 


INTO instruction 


Bounds Check 


5 


Yes 


FAULT 


BOUND instruction 


Invalid Opcode 


6 


Yes 


FAULT 


Reserved Opcodes 


Coprocessor Not 


7 


Yes 


FAULT 


ESC and WAIT 


Available 








instructions 


Double Fault 


8 


Yes 


ABORT 


Any instruction 


Coprocessor 


9 


No 


ABORT 


ESC instructions 


Segnnent Overrun 










Invalid TSS 


10 


Yes 


FAULT^ 


JMP, CALL, IRET 
instructions, 
interrupts, and 
exceptions 


Segment Not 


11 


Yes 


FAULT 


Any instruction 


Present 








which changes 
segments 


Stack Fault 


12 


Yes 


FAULT 


Stack operations 


General Protection 


13 


Yes 


FAULT/TRAP3 


Any code or data 
reference 


Page Fault 


14 


Yes 


FAULT^ 


Any code or data 
reference 


Coprocessor Error 


16 


Yes 


FAULT^ 


ESC and WAIT 
instructions 


Software Interrupt 


to 255 


No 


TRAP 


INT n instructions 



1 . Debug exceptions are either traps or faults. The exception handler can distinguish between traps and 
faults by examining the contents of the DR6 register. 

2. Restartability is conditional during task switches as discussed in Section 7.5. 

3. All general-protection faults are restartable. If the fault occurs while attempting to call the handler, the 
interrupted program is restartable, but the interrupt may be lost. 

4. Coprocessor errors are not reported until the first ESC or WAIT instruction following the ESC instruc- 
tion which generated the error. 
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9.11 ERROR CODE SUMMARY 

Table 9-6 summarizes the error information which is available with each exception. 

Table 9-6. Error Code Summary 



Description 


Vector Number 


Is an Error 
Code Generated? 


Divide Error 





No 


Debug Exceptions 


1 


No 


Breakpoint 


3 


No 


Overflow 


4 


No 


Bounds Check 


5 


No 


Invalid Opcode 


6 


No 


Coprocessor Not Available 


7 


No 


Double Fault 


8 


Yes (always zero) 


Coprocessor Segment Overrun 


9 


No 


Invalid TSS 


10 


Yes 


Segment Not Present 


11 


Yes 


Stack Fault 


12 


Yes 


General Protection 


13 


Yes 


Page Fault 


14 


Yes 


Coprocessor Error 


16 


No 


Software Interrupt 


0-255 


No 
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CHAPTER 10 
INITIALIZATION 

The 386™ DX microprocessor has an input, called the RESET# pin, which invokes reset 
initialization. After asserting the signal on the RESET# pin, some registers of the 386 
DX microprocessor are set to known states. These known states, such as the contents of 
the EIP register, are sufficient to allow software to begin execution. Software then can 
build the data structures in memory, such as the GDT and IDT tables, which are used by 
system and application software. 

Hardware asserts the RESET# signal at power-up. Hardware may assert this signal at 
other times. For example, a button may be provided for manually invoking reset initial- 
ization. Reset also may be the response of hardware to receiving a halt or shutdown 
indication. 

After reset initialization, the DH register holds a number which identifies the processor 
type. Binary object code can be made compatible with other Intel® processors by using 
this number to select the correct initialization software. Note the 386 DX microproces- 
sor has several processing modes. It begins execution in a mode which emulates an 8086 
processor, called real-address mode. If protected mode is to be used (the mode in which 
the 32-bit instruction set is available), the initialization software changes the setting of a 
mode bit in the CRO register. 



10.1 PROCESSOR STATE AFTER RESET 

A self-test may be requested at power-up. The self- test is requested by asserting the 
signal on the BUS Y# pin during the falling edge of the RESET# signal. It is the re- 
sponsibility of the hardware designer to provide the request for self-test, if desired. 
Reset initialization takes 350 to 450 CLK2 clock periods. If the self-test is selected, it 
takes about 2^^ clock periods (Intel reserves the right to change the exact number of 
periods without notification). For a 16 MHz processor, this takes about 33 milliseconds. 
(Note that chips are graded by their CLK frequency, which is half the frequency of 
CLK2.) 

The EAX register is clear if the 386 DX microprocessor passed the test. A non-zero 
value in the EAX register after self-test indicates the processor is faulty. If the self-test is 
not requested, the contents of the EAX register after reset initialization are undefined 
(possibly non-zero). The DX register holds a component identifier and revision number 
after reset initialization, as shown in Figure 10-1. The DH register contains the value 3, 
which indicates a 386 DX microprocessor. The DL register contains a unique identifier 
of the revision level. 

The state of the CRO register following power-up is shown in Figure 10-2. These states 
put the processor into real-address mode with paging disabled. 
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Figure 1 0-1 . Contents of the EDX Register after Reset 
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CONTROL REGISTER ZERO 



15 
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UNDEFINED 



— PAGING DISABLED 

* — INTEL RESERVED 

— NO TASK SWITCH 

— DO NOT MONITOR COPROCESSOR 

— COPROCESSOR NOT PRESENT 

_ PROTECTION NOT ENABLED (REAL ADDRESS MODE) ■ 



Figure 10-2. Contents of the CRO Register after Reset 

The state of the EBX, ECX, ESI, EDI, EBP, ESP, GDTR, LDTR, TR, and debug 
registers is undefined following power-up. Software should not depend on any undefined 
states. The state of the flags and other registers following power-up is shown in 
Table 10-1. 

Note that the invisible parts of the CS and DS segment registers are initialized to values 
which allow execution to begin, even though segments have not been defined. The base 
address for the code segment is set to 64K below the top of the physical address space, 
which allows room for a ROM to hold the initialization software. The base address for 
the data segments are set to the bottom of the physical address space (address 0), where 
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Table 10-1. Processor State Following Power-Up 



Register 


State (hexadecimal) 


EFLAGS 


XXXX0002H' 


EIP 


OOOOFFFOH 


CS 


OFOOOH^ 


DS 


OOOOH^ 


SS 


OOOOH 


ES 


OOOOH^ 


PS 


OOOOH 


GS 


OOOOH 


IDTR (base) 


OOOOOOOOH 


IDTR (limit) 


03FFH 


DR7 


OOOOH 



1 . Tiie high fourteen bits of the EFLAGS register are undefined following power-up. Ail of the flags areclear. 

2. The invisible part of the CS register holds a base address of OFFFFOOOOH and a limit of OFFFFH. 

3. The invisible parts of the DS and ES registers hold a base address of and a limit of OFFFFH. 

RAM is expected to be. To preserve these addresses, no instruction which loads the 
segment registers should be executed until a descriptor table has been defined and its 
base address and limit have been loaded into the GDTR register. 



10.2 SOFTWARE INITIALIZATION IN REAL-ADDRESS MODE 

After reset initialization, software sets up data structures needed for the processor to 
perform basic system functions, such as handling interrupts. If the processor remains in 
real-address mode, software sets up data structures in the form used by the 8086 proces- 
sor. If the processor is going to operate in protected mode, software sets up data struc- 
tures in the form used by the 80286 and 386 DX microprocessors, then switches modes. 



10.2.1 System Tables 

In real-address mode, no descriptor tables are used. The interrupt vector table, which 
starts at address 0, needs to be loaded with pointers to exception and interrupt handlers 
before interrupts can be enabled. The NMI interrupt is always enabled. If the interrupt 
vector table and the NMI interrupt handler need to be loaded into RAM, there will be a 
period of time following reset initialization when an NMI interrupt cannot be handled. 



10.2.2 NMI Interrupt 

Hardware must provide a mechanism to prevent an NMI interrupt from being generated 
while software is unable to handle it. For example, the interrupt vector table and NMI 
interrupt handler can be provided in ROM. This allows an NMI interrupt to be handled 
immediately after reset initialization. Another solution would be to provide a mechanism 
which passes the NMI signal through an AND gate controlled by a bit in an I/O port. 
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Hardware can clear the bit when the processor is reset, and software can set the bit 
when it is ready to handle NMI interrupts. System software designers should be aware of 
the mechanism used by hardware to protect software from NMI interrupts following 
reset. 



10.2.3 First Instruction 

Execution begins with the instruction addressed by the initial contents of the CS and IP 
registers. To allow the initialization software to be placed in a ROM at the top of the 
address space, the high 12 bits of addresses issued for the code segment are set, until the 
first instruction which loads the CS register, such as a far jump or call. As a result, 
instruction fetching begins from address OFFFFFFFOH. Because the size of the ROM is 
unknown, the first instruction is intended to be a jump to the beginning of the initializa- 
tion software. Only near jumps may be performed within the ROM-based software. 
After a far jump is executed, addresses issued for the code segment are clear in their 
high 12 bits. 



10.3 SWITCHING TO PROTECTED MODE 

Before switching to protected mode, a minimum set of system data structures must be 
created, and a minimum number of registers must be initialized. 

10.3.1 System Tables 

To allow protected mode software to access programs and data, at least one descriptor 
table, the GDT, and two descriptors must be created. Descriptors are needed for a code 
segment and a data segment. The stack can be be placed in a normal read/write data 
segment, so no descriptor for the stack is required. Before the GDT can be used, the 
base address and limit for the GDT must be loaded into the GDTR register using an 
LGDT instruction. 



10.3.2 NMI Interrupt 

If hardware allows NMI interrupts to be generated, the IDT and a gate for the NMI 
interrupt handler need to be created. Before the IDT can be used, the base address and 
limit for the IDT must be loaded into the IDTR register using an LIDT instruction. 



10.3.3 PEBIt 

Protected mode is entered by setting the PE bit in the CRO register. Either an LMSW or 
MOV CRO instruction may be used to set this bit (the MSW register is part of the CRO 
register). (Note: When writing to CRO, do not alter the value of undefined bits. Read 
CRO, change bits necessary and then write CRO.) Because the processor overlaps the 
interpretation of several instructions, it is necessary to discard the instructions which 
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already have been read into the processor. A JMP instruction immediately after the 
LMSW instruction changes the flow of execution, so it has the effect of emptying the 
processor of instructions which have been fetched or decoded. 

After entering protected mode, the segment registers continue to hold the contents they 
had in real-address mode. Software should reload all the segment registers. Execution in 
protected mode begins with a CPL of 0. 

10.4 SOFTWARE INITIALIZATION IN PROTECTED MODE 

The data structures needed in protected mode are determined by the memory- 
management features which are used. The processor supports segmentation models 
which range from a single, uniform address space (flat model) to a highly structured 
model with several independent, protected address spaces for each task (multisegmented 
model). Paging can be enabled for allowing access to large data structures which are 
partly in memory and partly on disk. Both of these forms of address translation require 
data structures which are set up by the operating system and used by the memory- 
management hardware. 

10.4.1 Segmentation 

A flat model without paging only requires a GDT with one code and one data segment 
descriptor. A flat model with paging requires code and data descriptors for supervisor 
mode and another set of code and data descriptors for user mode. In addition, it 
requires a page directory and at least one second-level page table. 

A multisegmented model may require additional segments for the operating system, as 
well as segments and LDTs for each application program. LDTs require segment de- 
scriptors in the GDT. Most operating systems, such as OS/2, allocate new segments and 
LDTs as they are needed. This provides maximum flexibility for handling a dynamic 
programming environment, such as an engineering workstation. An embedded system, 
such as a process controller, might pre-allocate a fixed number of segments and LDTs 
for a fixed number of application programs. This would be a simple and efficient way to 
structure the software environment of a system which requires fast real-time 
performance. 

10.4.2 Paging 

Unlike segmentation, paging is controlled by a mode bit. If the PG bit in the CRO 
register is clear (its state following reset initialization), the paging mechanism is com- 
pletely absent from the processor architecture seen by programmers. 

If the PG bit is set, paging is enabled. The bit may be set using a MOV CRO instruction. 
Before setting the PG bit, the following conditions must be true: 

• Software has created at least two page tables, the page directory and at least one 
second-level page table. 
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• The PDBR register (same as the CR3 register) is loaded with the base address of the 
page directory. 

• The processor is in protected mode (paging is not available in real-address mode). If 
all other restrictions are met, the PG and PE bits can be set at the same time. 

As with the PE bit, setting the PG bit must be followed immediately with a JMP instruc- 
tion. (Alternatively, the code which sets the PG bit can come from a page which has the 
same physical address after paging is enabled.) 



10.4.3 Tasks 

If the multitasking mechanism is not used, it is unnecessary to initialize the TR register. 

If the multitasking mechanism is used, a TSS and a TSS descriptor for the initialization 
software must be created. TSS descriptors must not be marked as busy when they are 
created; TSS descriptors should be marked as busy only as a side-effect of performing a 
task switch. As with descriptors for LDTs, TSS descriptors reside in the GDT. The LTR 
instruction is used to load a selector for the TSS descriptor of the initialization software 
into the TR register. This instruction marks the TSS descriptor as busy, but does not 
perform a task switch. The selector must be loaded before performing the first task 
switch, because a task switch copies the current task state into the TSS. After the LTR 
instruction has been used, further operations on the TR register are performed by task 
switching. As with segments and LDTs, TSSs and TSS descriptors can be either preallo- 
cated or allocated as needed. 



10.5 TLB TESTING 

The 386 DX microprocessor provides a mechanism for testing the translation lookaside 
buffer (TLB), the cache used for translating linear addresses to physical addresses. Al- 
though failure of the TLB hardware is extremely unlikely, users may wish to include TLB 
confidence tests among other power-up tests for the 386 DX microprocessor. 



NOTE 

This TLB testing mechanism is unique to the 386 DX microprocessor and may not be 
continued in the same way in future processors. Software which uses this mechanism 
may be incompatible with future processors. 

When testing the TLB, turn off paging to avoid interference with the test data written to 
the TLB. 
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10.5.1 Structure of the TLB 



The TLB is a four-way set-associative memory. Figure 10-3 illustrates the structure of 
the TLB. There are four sets of eight entries each. Each entry consists of a tag and data. 
Tags are 24 bits wide. They contain the high-order 20 bits of the linear address, the vaUd 
bit, and three attribute bits. The data portion of each entry contains the upper 12 bits of 
the physical address. 
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Figure 10-3. TLB Structure 
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10,5.2 Test Registers 

Two test registers, shown in Figure 10-4, are provided for the purpose of testing. The 
TR6 register is the test command register, and the TR7 register is the test data register. 
These registers are accessed by variants of the MOV instruction. The MGV instructions 
are defined in both real-address mode and protected mode. The test registers are privi- 
leged resources; in protected mode, the MOV instructions which access them can be 
executed only at privilege level (most privileged). An attempt to read or write the test 
registers from any other privilege level causes a general-protection exception. 

The test command register (TR6) contains a command and an address tag: 

C This is the Command bit. There are two TLB testing commands: 

write entries into the TLB, and perform TLB lookups. To cause an 
immediate write into the TLB entry, move a doubleword into the 
TR6 register which contains a clear C bit. To cause an immediate 
TLB lookup (read), move a doubleword into the TR6 register which 
contains a set C bit. 



Linear Address 



On a TLB write, a TLB entry is allocated to this linear address; the 
rest of that TLB entry is assigned using the value of the TR7 register 
and the value just written into the TR6 register. On a TLB lookup, 
the TLB is interrogated per this value; if one and only one TLB entry 
matches, the rest of the fields of the TR6 and TR7 registers are set 
from the matching TLB entry. 



V 



This bit indicates the TLB entry contains valid data. Entries in the 
TLB which are not loaded with page table entries have a clear V bit. 
All V bits are cleared by writing to the CR3 register, which has the 
effect of emptying or "flushing" the cache. The cache must be 
flushed after modifying the page tables, because otherwise unmodi- 
fied data might get used for address translation. 
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Figure 10-4. Test Registers 
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D, D# 

U, U# 

w, w# 



Physical Address 



PL 



REP 



The D bit (and its complement). 

The U/S bit (and its complement). 

The RAV bit (and its complement). 

The meaning of these pairs of bits is given in Table 10-2. 

The test data register (TR7) holds data read from or data to be 
written to the TLB. 

This is the data field of the TLB. On a write to the TLB, the TLB 
entry allocated to the linear address in the TR6 register is set to this 
value. On a TLB lookup (read), the data field (physical address) 
from the TLB is loaded into this field. 

On a TLB write, a set PL bit causes the REP field of the TR7 regis- 
ter to be used for selecting which of four associative blocks of the 
TLB entry is loaded. If the PL bit is clear, the internal pointer of the 
paging unit is used to select the block. On a TLB lookup (read), the 
PL bit indicates whether the read was a hit (the PL bit is set) or a 
miss (the PL bit is clear). 

For a TLB write, selects which of four associative blocks of the TLB 
is to be written. For a TLB read, if the PL bit is set, REP reports in 
which of the four associative blocks the tag was found; if the PL bit is 
clear, the contents of this field are undefined. 



10.5.3 Test Operations 

To write a TLB entry: 



L Move a doubleword to the TR7 register which contains the desired physical address, 
PL, and REP values. The PL bit must be set. The REP field must point to the 
associative block in which to place the entry. 

2. Move a doubleword to the TR6 register which contains the appropriate linear ad- 
dress, and values for the V, D, U, and W bits. The C bit must be set. 

Do not write duplicate tags; the results of doing so are undefined. 

Table 10-2. Meaning of Bit Pairs In the TR6 Register 



Bit 


Bit# 


Effect during TLB Lookup 


Value after TLB Write 




1 
1 




1 


1 


Miss all 

Match if the bit is clear 
Match if the bit is clear 
Match all 


Bit is undefined 
Bit is clear 
Bit is set 
Bit Is undefined 
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To lookup (read) a TLB entry: 

1. Move a doubleword to the TR6 register which contains the appropriate Hnear ad- 
dress and attributes. The C bit must be set. 

2. Read the TR7 register. If the PL bit in the TR7 register is set, then the rest of the 
register contents report the TLB contents. If the PL bit is clear, then the other 
values in the TR7 register are indeterminate. 

For the purposes of testing, the V bit functions as another bit of addresss. The V bit for 
a lookup request should usually be set, so that uninitialized tags do not match. Lookups 
with the V bit clear are unpredictable if any tags are unitialized. 



10.6 INITIALIZATION EXAMPLE 



This is an example of startup code to put either fl03fitj/fi037b 
into flat mode. All of memory is treated as simple, linear 
RAM. There are no interrupt routines. The Builder creates the 
GDT-alias and IDT-alias and places them, by default, in GDT[1] 
and GDTL2]. Other entries in the GDT are speicifed in the 
Build file. After initialization it jumps to a C startup 
routine- To use this template, change this jmp address to that 
of your code, or m^ke the label of your code "c_startup". 

NAME FLAT ; name of object module 

EXTRN c_startup:near -, this is the label jmped to after init 



pe_f lag 
data_sec 



equ 1 
equ E0h 



assume code is GDTL3], data GDTLM] 
INIT_CDDE SEGflENT ER PUBLIC USE3E ; Segment base at 0ffffffa0h 
PUBLIC GDT.DESC 
gdt_desc dq ? 
PUBLIC START 



start*. 

eld 

smsw bx 

test bl,l 

jnz pestart 
realstart : 

db tbh 

mov eax, offset gdt_desc 

xor ebx,ebx 

mov bh,ah 

mov bl ,al 

db b7h 

db bbh 

Igdt cs: Lebx] 

smsw ax 

or al,pe_flag 

Imsw ax 

jmp next 



clear direction flag 

check for processor (fl037b) at reset 

use SnSli) ratherthan flOV for speed 

is an fl03fib and in real mode 

force the next operand into 3S-bit mode. 

move address of the GDT descriptor into eax 

clear ebx 

load fi bits of address into bh 

load fi bitsof address into bl 

; use the 3E-bit form of LGDT to load 

; the 3E-bits of address into the GDTR 

; go into protected mode (set PE bit) 

; only change the PE bit, leave other bits unchanged 

; flush prefetch queue 
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pestarf. 

mov edx.eax 

mov ebx, offset gdt_desc 

xor Gax,eax 

mov ax,bx ; lowerportion of address only 

Igdt cs:[eax] 

xor ebx, ebx ; initialize data selectors 

mov bl,data-.selc ; GDTC3] 

mov dSjbx 

mov ssjbx 

mov eSjbx 

mov fs,bx 

mov gSjbx 

jmp pejump 
next: 

xor ebx, ebx ; initialize data selectors 

mov bl,data_selc ; GDT[3] 

mov ds,bx 

mov ss,bx 

mov es, bx 

mov fx,bx 

mov gs,bx 

db bbh ; forthe a03ab, need to make a 3E-bit jump 

pejump: 

jmp far ptr c_startup ; but the fl037t) is already 32-bit. 

org 70h ; only if segment base is at0fffffffl0h 

jmp short start 
INIT_CQ]>E ENDS 
END 

This code should be linked with the application for boot loadable code. The following 
code illustrates a dummy application. 

$title("Example Startup Code, Copyright ITflT, Intel Corporation") 

name dummy_application; 

data segment rw publich use32 

dontworry db fl dup (?) 

behappy db Mah, bih,bdh, B0h, Mbh, Ebh, SEh 

data ends 

code32 segment er public use3E 
assume ds:data, es:data 

public int0, intl_3,int2,int4,intS,intb,int7,intfl,intT 
public intl0,intll,intlE,intl3,intm, intlb 
public c^startup 

data-vers db ' S/3/fiT , ' Ver 1.00' 
db ' IntelCorporation ' 

c-startup: 
hit 

; Int0 routine 

int0 proc far 

hit 
int0 endp 
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-, ** intl_3 interrupt service routine -- debug register support ** 

; ** ** 

; t%t**ttttt*tt*tttttt****ttt*ttttttt*tttttt*t*t*tt****t*t**t*t********t**** 

intl_3 PRDC FAR 

hit 
intl_3 endp 

; IntE routine 

intE proc far 

hit 
intE endp 

; %tt*t*t*tttt*ttttt*tt%tttttttttttttttt*ttilli*tttttt*ttt****t******t**t*t***t 

; IntM routine 

int^ proc far 

hit 
intM endp 

• tt*t*tttt***t******t*tttttt*t*tt*tt*tt*ttttt*t*t**ttt*tt*t**tt**t***t***** 

; IntS routine 

; *ttt**ttttt*tt*tttt*t*t**t*tttt*t**ttt*tt*t*ttttt*t******t******t*t**t**** 

intS proc far 

hit 
intS endp 

; *******!j:#*** ***********##****#***#*******#*** ******* 

; Intb routine 

; ************************************************************************** 

intb proc far 

hit 
intb endp 

; ************************************************************************** 

; Int? routine 

5 ************************************************************************** 

int? proc far 

hit 
int? endp 

; ************************************************************************** 

; Intfl routine 

; ************************************************************************** 

intfl proc far 

hit 
intfl endp 

; ************************************************************************** 

; IntT routine 

; ************************************************************************** 



intT proc far 

hit 
intT endp 
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; t**ttt*t***t****t***t****tt**tttttt**tt*ttt*t*t***ttttt*ttt**ttt****tttt 

; Intl0 routine 

• **ttt**t*ttt*t*t**ttt****t***ttt*tt**t*tt*t****tt*ttttt*t*t**tttttt*ttt**t 

intl0 proc far 

hit 
intl0 endp 

; Intll routine 

intll proc far 

hit 
intll endp 

IntlS routine 

intl2 proc far 

hit 
intl2 endp 

; Get controlfrotn interrupt 13 

intl3 proc far 

hit 
intl3 endp 

•y Intm routine 

; tt*tttt***t*t**ttt*t**tt*tttt*t*tt*tttt*ttttttttt********t*t*ttttttttt*t*t 

intm proc far 

hit 
intm endp 

; tt*tt*tttttt*t**ttt******tt**tt*t*tt***t***tt*tt*t**tt*tt***tt****tt*t^ 
; Intlb routine 

intlb proc far 

hit 
intlb endp 

code3E ends 
end 



The following build file illustrates how to link these two pieces of code. 



FLAT; -- build program id 

SEGHENT 

♦segments (dpl=0), — Give all user segments a DPL of 0. 

_phantom-.code- (dpl=0,ra), — These two segments are created by 
_phantom_data_ (dpl=0), — the builder when the FLAT control is used. 

init-code (base=0f f f f f ffl0h,ra) , — Put startup code at the reset vector 

code3E (base = 0ffffef00h, ra) , 

data (base = 0h) ; 
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TASK 



HAIN- 


.TASK 




CODE = c_startup, 




DPL = 0, 




DATA = DATA, 




STACKS = (DATA), 




ND INTENABLED. 




PRESENT 

) ; 


GATE 




10 


(entry=lnt0, dpl=0, trap), 


il 


(Gntry = lntl_3,clpl = 0, trap), 


IE 


(Gntry=lnt2, dpl=0, trap). 


13 


(entry=lntl_3, dpl=0, trap) 


m 


(entry=lntM, dpl=0, trap). 


IS 


(Gntry=lntS, dpl=0, trap). 


It 


(entry=lntt, dpl=0, trap), 


17 


(entry=lnt7, dpl=0, trap). 


Ifi 


(entry=lntfl,dpl=0, trap), 


n 


(Gntry=lntT, dpl=0, trap), 


110 


(Gntry=lntl0, dpl=0, trap) 


HI 


(Gntry=lntll, dpl=0, trap) 


112 


(Gntry=intl2, dpl=0, trap) 


113 


(Gntry=lntl3, dpl=0, trap) 


im 


(Gntry = intm, dpl=0, trap) 


lib 


(Gntry=lntlb, dpl=0, trap) 


TABLE 




GDT 


-- 




(LOCATION = GDT_DESC, 



ENTRY = (3:_phantom_ocdG_, 
M :_phantom_data_, 
S:maln_task 
) 



Dummy InltlallzGd task scgmGnt 

Entry point Is main, which 

must bG a public Id. 

Task prlvllGQG IgvgI Is 0. 

Points to a sGgmGnt that 

Indicates Initial DS valuG- 

SGgmGnt Id points to stack 

SGgmGnt. SGts thG Intial SS:ESP. 

DlsablG IntGrrupts. 

PnGSGnt bit In TSS SGt to 1. 



— DGflnG Intlal IntGrrupts/f aults 

— DlvldG by ZGTO trap 

— DGbug/trap rGglstGr support 

— Nni IntGrrupt 

— IntGrrupt 3 dGbug support 
-- OvGrflow ExcGptlon 

— Bounds ChGck ExcGptlon 

— Invalid OpcodG ExcGptlon 

— CoprocGSSor not avalablG 

— DoublG fault 

— CoprocGSSor SGgmGnt OvGrrun 

— Invalid TSS Gxccptlon 

— SGgmGntnot prGSGnt GXCGptlon 

— .stack GXCGptlon 

, — trap gatG dlsablGS IntGrrupts 

, — page fault 

, -- coprocGSSor Grror 

CTGatG GDT 

In a buffGT starting at GDT_DESCC 
BLD3fib placGS thG GDT basG and 
GDT limit valuGS. BuffGr must bG 
b bytGS long.ThG basG and limit 
valuGs arG placGS In this buffGr 
as two bytGS of limit plus 
four bytGS of basGln thG format 
TGqulrGd for usg by thG LGDT 
Instruction. 

— Explicitly placG SGgmGnt 

— GntrlGS into thG GDT 



), 



IDT 



BASE = 0fffffl000h 


ENTRY=( 


10, 


1 


11, 


E 


IE, 


3 


13, 


M 


14, 


S 


IS, 


b 


lb, 


7 


17, 


fi 


Ifi, 


=i 


n, 


10 


110, 


11 


HI, 


12 


HE, 


13 


113, 


m 


114, 


lb 


lib) 
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dummyldt 

(ENTRY=( l:code3E, 
2:data, 
3:int_code) 
); 

HEnQRY 

(RANGE = (EPROn = ROflCOf f f f a000h. .0f f f f f f f f h) , 

DRAH = RAn(0..0ffffh)), 
ALLOCATE = (riAIN-TASK) ) ) ; 

END 

The commands to assemble and build a boot loadable application named "init" are 
contained in the following batch file. "Init.asm" is the code to put the 386 CPU in flat 
mode and "startup. asm" is the dummy application code. 

dstn3fib init-asm debug 

asmBfib startup'asm debug 

bnd3flt startup. objjinit-obj nolo debug oj (init.bnd) 

bld3flb init.bnd bf (init-bld) bl flat 

map3fib init 

This batch file used version 3.0 of the Intel RLL utilities and Intel 386ASM assembler to 
assemble and build the code. 
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CHAPTER 11 
COPROCESSING AND MULTIPROCESSING 

A common method of increasing system performance is to use multiple processors. The 
Intel386™ architecture supports two kinds of multiprocessing: 

« An interface for specific, performance-enhancing processors called coprocessors. 
These processors extend the instruction set of the 386™ DX microprocessor to in- 
clude groups of closely-related instructions which are executed, in parallel with the 
original instruction set, by dedicated hardware. These extensions include IEEE- 
format floating-point arithmetic and raster-scan computer graphics. 

• An interface for other processors. Other processors could be an 80286 processor, 
another 386 DX microprocessor, or an 8086 or 8088 processor in a PC or workstation. 
Several 386 DX microprocessors could be in the same system to control multiple 
peripheral devices or to provide additional computational power. 

11.1 COPROCESSING 

The features of the Intel386 architecture which are the coprocessor interface include: 

9 ESC and WAIT instructions 

TS, EM, and MP bits of the CRO register 

® Coprocessor Exceptions 

11.1.1 Software Recognition of the Numeric Coprocessor 

Figure 11-1 shows an example of a recognition routine that determines whether or not a 
math coprocessor is present. This routine can be executed on any 386 DX, 386 SX, 80286 
or 8086 microprocessor hardware configuration that has a coprocessor socket. 

The example guards against the possibility of accidentally reading an expected value 
from a floating data bus when no numeric coprocessor is present. Data read from a 
floating bus is undefined. By expecting to read a specific bit pattern from the numeric 
coprocessor, the routine protects itself from the indeterminate state of the bus. The 
example also avoids depending on any values in reserved bits, thereby maintaining com- 
patibility with future numerics coprocessors. 

1 1 .1 .2 The ESC and WAIT Instructions 

The 386 DX microprocessor interprets the bit pattern 11011 (binary) in the highest five 
bits of the first byte of an instruction as an opcode intended for a coprocessor. Instruc- 
tions which start with this bit pattern are called ESCAPE or ESC instructions. The 
processor performs the following functions before sending these instructions to the 
coprocessor: 

• Test the EM bit to determine whether coprocessor functions are to be emulated by 
software. 
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fl0flb/fl7/flfl/lflb 


nACRD ASSEHBLER 


Test for 


presence 


of a Numerics Chip, Revision 1.0 PAGE 1 


DOS 


3.S0 (033- 


N) fl0flb/fl7/flfl/lfib 


nACRD ASSEHBLER V2 


ASSEHBLY DF HDDULE TEST.NPX 


OBJECT nODULE 


PLACED IN FINDNPX 


QBJ 






LQC 


DBJ 


LINE 


SOURCE 












a $title( 


'Test for presence of a Numerics Chip, Revision 1.0') 








name 


Test_NPX 







stack 


segment 


stack 'stack' 


0000 


(100 
???? 






dw 


100 dup (?) 


00Cfl 


) 

???? 




sst 


du 


? 









stack 


ends 









data 


segment 


public 'data' 


0000 


0000 




temp 


du 


0h 








data 


ends 










dgroup 


group 


data, stack 








cgroup 


group 


code 





















code 


segment 


public 'code' 










assume 


cs:cgroup, ds:dgroup 














0000 






start: 






























Look for an 6067, 60267, 367 SX or 367 DX NPX 












Note that ue cannot execute WAIT on 606b/66 if no 6067 is present. 


0000 




test_np 


x: 




0000 


10DBE3 






fninit 


i riust use non-wait form 


0003 


BE0000 


R 27 




mov 


si, offset dgroup:temp 


000b 


C70MSASA 






mov 


word ptr [sil.SASAH ; Initialize temp to non-zero value 


000A 


10DD3C 






fnstsw 


Csi] ; flust use non-wait form of fstsw 

; It is not necessary to use a UAIT instruction 
; after fnstsw or fnstcw. Do not use one here. 


000D 


a03C00 






cmp 


byte ptr [si],0 ; See if correct status with zeroes was read 


0010 


7SEA 






jne 


no_npx ; Jump if not a valid status word, meaning no NPX 


























Now see 


if ones can be correctly written from the control word. 
















0012 


10D13C 






fnstcw 


tsi] ; Look at the control word; do not use UAIT form 
; Do not use a UAIT instruction here! 


001S 


aB0^ 






mov 


ax, tsi] ; See if ones can be written by NPX 


0017 


E53F10 






and 


ax,103fh ; See if selected parts of control word look DK 


001A 


3D3F00 






cmp 


ax,3fh -, Check that ones and zeroes were corretly read 


001D 


7S1I> 






jne 


no_npx ; Jump if no NPX is installed 


























Some numerics chip is installed. NPX instructions and UAIT are now safe. | 












See if 


the NPX is an 6067, 60267, 367 SX or 367 DX 












This code is necessary if a denormal exception handler is used or the | 












new 367 


instructions will be used. 


001F 


IBDIEfl 


' 


fldl 


; riust use default control word from FNINIT 


002B 


^BDIEE 






fldz 


; Form infinity 


00ES 


^BDEFT 






fdiv 


; 6067/267 says + inf = -inf 


005fi 


1BD1C0 






fid 


st ; Form negative infinity 


00SB 


^BD^E0 






fchs 


; 367 SX/DX says + inf <> -inf 


002E 


1BDEDT 






fcompp 


; See if they are the same and remove them 


0031 


1BDD3C 






fstsw 


[si] ; Look at status from FCOflPP 


003q 


8B0^ 






mov 


ax, [si] 


003t 


IE 






sahf 


; See if the infinities matched 


0037 


740b 






je 


found_6?_267 ; Jump if 6067/26? is present 










A 367 SX/DX is present. If denormal exceptions are used for an 6067/267, 












they must be masked. The 367 SX/I>X will automatically normalize denormal 












operand 


s faster than an exception handler can. 

















Figure 11-1. Software Routine to Recognize a l\/lath Coprocessor 
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fi0flb/67/flfl/iab 


flACRQ 


ASSEHBLER 


T 


est for presence of a Numerics Chip, Revision 1.0 


PAGE E 


LDC DBJ 






LINE 




SOURCE 




003=1 EBBV'ia 










jtnp found_3fl7 SX_I>X 




003C 










no_npx: 

; set up for no NPX 




003C EB0M10 










jmp exit 




003F 










found_fl7_2fl7: 

; set up for fl7/2fl7 

; 




003F EB0n0 










jmp exit 




00MS 










found_3a7 SX_I>X 

; set up for 3fl7 SX/DX 




00HS 










exit; 




.... 










code ends 

end start,ds:dgroup,ss:dgroup:sst 




ASSEHBLY CDflPLETE, 


NO 


ERRORS FOUND 







Figure 11-1. Software Routine to Recognize a IVIath Coprocessor (contd.) 

• Test the TS bit to determine whether there has been a context switch since the last 
ESC instruction. 

• For some ESC instructions, test the signal on the ERROR# pin to determine 
whether the coprocessor produced an error in the previous ESC instruction. 

The WAIT instruction is not an ESC instruction, but it causes the processor to perform 
some of the tests which are performed for an ESC instruction. The processor performs 
the following actions for a WAIT instruction: 

• Wait until the coprocessor no longer asserts the BUSY# pin. 

• Test the signal on the ERROR# pin (after the signal on the BUSY# pin is deas- 
serted). If the signal on the ERROR# pin is asserted, the 386 DX microprocessor 
generates the coprocessor-error exception, which indicates that the coprocessor pro- 
duced an error in the previous ESC instruction. 

The WAIT instruction can be used to generate a coprocessor-error exception if an error 
is pending from a previous ESC instruction. 

11.1.3 The EM and MP Bits 

The EM and MP bits of the CRO register affect the operations which are performed in 
response to coprocessor instructions. 

The EM bit determines whether coprocessor functions are to be emulated. If the EM bit 
is set when an ESC instruction is executed, the coprocessor-not-available exception is 
generated. The exception handler then can emulate the coprocessor instruction. This 
mechanism is used to create software which adapts to the hardware environment; install- 
ing a coprocessor for performance enhancement can be as simple as plugging in a chip. 
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The MP bit controls whether the processor monitors the signals from the coprocessor. 
This bit is an enabling signal for the hardware interface to the coprocessor. The MP bit 
affects the operations performed for the WAIT instruction. If the MP bit is set when a 
WAIT instruction is executed, then the TS bit is tested; otherwise, it is not. If the TS bit 
is set under these conditions, the coprocessor-not-available exception is generated. 

The states of the EM and MP bits can be modified using a MOV instruction with the 
CRO register as the destination operand. The states can be read using a MOV instruc- 
tion with the CRO register as the source operand. These forms of the MOV instruction 
can be executed only with privilege level (most privileged). 



11.1.4 TheTS Bit 

The TS bit of the CRO register indicates that the context of the coprocessor does not 
match that of the task being run on the 386 DX microprocessor. The 386 DX micropro- 
cessor sets the TS bit each time it performs a task switch (whether triggered by software 
or by a hardware interrupt). If the TS bit is set while an ESC instruction is executed, a 
coprocessor-not-available exception is generated. The WAIT instruction also generates 
this exception, if both the TS and MP bits are set. This exception gives software the 
opportunity to switch the context of the coprocessor to correspond to the current task. 

The CLTS instruction (legal only at privilege level 0) clears the TS bit. 

11.1.5 Coprocessor Exceptions 

Three exceptions are used by the coprocessor interface: interrupt 7 (coprocessor not 
available), interrupt 9 (coprocessor segment overrun), and interrupt 16 (coprocessor 
error). 

11.1.5.1 INTERRUPT 7-COPROCESSOR NOT AVAILABLE 

This exception occurs in either of two conditions: 

© The processor executes an ESC instruction while the EM bit is set. In this case, the 
exception handler should emulate the instruction which caused the exception. The TS 
bit also may be set. 

© The processor executes either the WAIT instruction or an ESC instruction when both 
the MP and TS bits are set. In this case, the exception handler should update the 
state of the coprocessor, if necessary. 

11.1.5.2 INTERRUPT 9 -COPROCESSOR SEGMENT OVERRUN 

A coprocessor operand may cross the address limit. The address limit is the point at 
which the address space wraps around. For segments with 32-bit addressing, the address 
limit is OFFFFFFFFH; for segments with 16-bit addressing, the address limit is OFFFFH; 
for expand-down segments, the address limit is 0. 
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The processor checks only the first and last bytes of a coprocessor operand before per- 
forming an operation on the operand. If the first and last bytes of the operand are in the 
segment, but on different sides of the address limit, it is possible for the middle part of 
the operand to be in memory which is outside of the segment, write-protected, or not- 
present. For example, a 64-bit operand at address OFFFCH in a segment with 16-bit 
addressing occupies the bytes from OFFFCH to OFFFFH and from to 3. If the segment 
limit is set to OFFFDH, the second, third, and fourth bytes of the operand are outside of 
the segment. If a new page starts at OFFFDH, the second, third, and fourth bytes of the 
operand may be write-protected or not-present. Any of these cases will generate a 
coprocessor-segment-overrun exception. 

The addresses of the failed numeric instruction and its operand may be lost; a FSTENV 
instruction does not return reliable numeric coprocessor state information. The 
coprocessor-segment-overrun exception should be handled by executing a FNINIT in- 
struction (i.e., a FINIT instruction without a preceding WAIT instruction). The return 
address on the stack might not point to either the failed numeric instruction or the 
instruction following the failed numeric instruction. The failed numeric instruction is not 
restartable; however, the interrupted task may be restartable if it did not contain the 
failed numeric instruction. 

For the 387™ DX math coprocessor, the address limit can be avoided by keeping copro- 
cessor operands at least 108 bytes away from the limit (108 bytes is the largest number of 
bytes affected by a floating-point arithmetic instruction, the FSTORE instruction). 

11.1.5.3 INTERRUPT 16-COPROCESSOR ERROR 

The 387 DX math coprocessor can generate a coprocessor-error exception in response to 
six different exception conditions. If the exception condition is not masked by a bit in the 
control register of the coprocessor, it appears as a signal at the ERROR# input of the 
processor. The processor generates a coprocessor-error exception the next time the sig- 
nal on the ERROR# input is sampled, which is only at the beginning of the next WAIT 
instruction or certain ESC instructions. If the exception is masked, the coprocessor han- 
dles the exception itself; it does not assert the signal on the ERROR# input in this case. 

11.2 GENERAL-PURPOSE MULTIPROCESSING 

The 386 DX microprocessor has the basic features needed to implement a general- 
purpose multiprocessing system. While the system architecture of multiprocessor systems 
varies greatly, they generally have a need for reliable communications with memory. A 
processor in the process of reading a segment descriptor, for example, should reject 
attempts to update the descriptor until the read operation is complete. 

It also is necessary to have reliable communications with other processors. Bus masters 
need to exchange data in a reliable way. For example, a bit in memory may be shared by 
several bus masters for use as a signal that some resource, such as a peripheral device, is 
idle. A bus master may test this bit, see that the resource is free, and change the state of 
the bit. The state would indicate to other potential bus masters that the resource is in 
use. A problem could arise if another bus master reads the bit between the time the first 
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bus master reads the bit and the time the state of the bit is changed. This condition 
would indicate to both potential bus masters that the resource is free. They may inter- 
fere with each other as they both attempt to use the resource. The processor prevents 
this problem through support of locked bus cycles; requests for control of the bus are 
ignored during locked cycles. 

The 386 DX microprocessor protects the integrity of critical memory operations by as- 
serting a signal called LOCK#. It is the responsibility of the hardware designer to use 
this signal for blocking memory access between processors when this signal is asserted. 

The processor automatically asserts this signal for some critical memory operations. Soft- 
ware can specify which other memory operations also need to have this signal asserted. 

The features of the general-purpose multiprocessing interface include: 

• The LOCK# signal, which appears on a pin of the processor. 

• The LOCK instruction prefix, which allows software to assert the LOCK# signal. 

• Automatic assertion of the LOCK# signal; for some kinds of memory operations. 

1 1 .2.1 LOCK Prefix and the LOCK# Signal 

The LOCK prefix and its bus signal only should be used to prevent other bus masters 
from interrupting a data movement operation. The LOCK prefix only may be used with 
the following 386 DX CPU instructions when they modify memory. An invalid-opcode 
exception results from using the LOCK prefix before any other instruction, or with these 
instructions when no write operation is made to memory (i.e., when the destination 
operand is in a register). 

• Bit test and change: the BTS, BTR, and BTC instructions. 

• Exchange: the XCHG instruction. 

• One-operand arithmetic and logical: the INC, DEC, NOT, NEG instructions. 

• Two-operand arithmetic and logical: the ADD, ADC, SUB, SBB, AND, OR, and 
XOR instructions. 

A locked instruction is guaranteed to lock only the area of memory defined by the 
destination operand, but may lock a larger memory area. For example, typical 8086 and 
80286 configurations lock the entire physical memory space. 

Semaphores (shared memory used for signalling between multiple processors) should be 
accessed using identical address and length. For example, if one processor accesses a 
semaphore using word access, other processors should not access the semaphore using 
byte access. 

The integrity of the lock is not affected by the alignment of the memory field. The 
LOCK# signal is asserted for as many bus cycles as necessary to update the entire 
operand. 
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11 .2.2 Automatic Locking 

There are some critical memory operations for which the processor automatically asserts 
the LOCK# signal. These operations are: 

• Acknowledging interrupts. 

After an interrupt request, the interrupt controller uses the data bus to send the 
interrupt vector of the source of the interrupt to the processor. The processor asserts 
LOCK# to ensure no other data appears on the data bus during this time. 

• Setting the Busy bit of a TSS descriptor. 

The processor tests and sets the Busy bit in the Type field of the TSS descriptor when 
switching to a task. To ensure two different processors do not switch to the same task 
simultaneously, the processor asserts the LOCK# signal while testing and setting 
this bit. 

• Loading of segment descriptors. 

While copying the contents of a segment descriptor from a descriptor table to a 
segment register, the processor asserts LOCK# so the descriptor will not be modified 
by another processor while it is being loaded. For this action to be effective, 
operating-system procedures which update descriptors should use the following steps: 

- Use a locked operation when updating the access-rights byte to mark the 
descriptor not-present, and specify a value for the Type field which indicates the 
descriptor is being updated. 

- Update the fields of the descriptor. (This may require several memory accesses; 
therefore, LOCK cannot be used.) 

- Use a locked operation when updating the access-rights byte to mark the 
descriptor as valid and present. 

• Executing an XCHG instruction. 

The 386 DX microprocessor always asserts LOCK# during an XCHG instruction 
which references memory (even if the LOCK prefix is not used). 

• Updating page-table A and D bits. 

The processor asserts LOCK# while updating the A (accessed) and D (dirty) bits of 
the page-table entries. Also the processor bypasses the page-table cache and directly 
updates these bits in memory. 



11.2.3 Stale Data 

Multiprocessor systems are subject to conditions under which updates to data in one 
processor are not applied to copies of the data in other processors. This can occur with 
the 386 DX microprocessor when segment descriptors are updated. 

If multiple processors are sharing segment descriptors and one processor updates a 
segment descriptor, the other processors may retain old copies of the descriptor in the 
invisible part of their segment registers. 
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An interrupt sent from one processor to another can handle this problem. When one 
processor changes data which may be held in other processors, it can send an interrupt 
signal to them. If the interrupt is serviced by an interrupt task, the task switch automat- 
ically discards the data in the invisible part of the segment registers. When the task 
returns, the data is updated from the descriptor tables in memory. 

In multiprocessor systems which need a cachability signal from the processor, it is 
recommended that physical address pin A31 be used to indicate cachability. Segment 
descriptors or page table entries may be used to control this bit from software. The 
system then can possess up to 2 gigabytes of physical memory (half the address space is 
sacrificed). 
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CHAPTER 12 
DEBUGGING 

The 386™ DX microprocessor has advanced debugging facilities which are particularly 
important for sophisticated software systems, such as multitasking operating systems. 
The failure conditions for these software systems can be very complex and time- 
dependent. The debugging features of the 386 DX microprocessor give the system pro- 
grammer valuable tools for looking at the dynamic state of the processor. 

The debugging support is accessed through the debug registers. They hold the addresses 
of memory locations, called breakpoints, which invoke debugging software. An exception 
is generated when a memory operation is made to one of these addresses. A breakpoint 
is specified for a particular form of memory access, such as an instruction fetch or a 
doubleword write operation. The debug registers support both instruction breakpoints 
and data breakpoints. 

With other processors, instruction breakpoints are set by replacing normal instructions 
with breakpoint instructions. When the breakpoint instruction is executed, the debugger 
is called. But with the debug registers of the 386 DX microprocessor, this is not neces- 
sary. By eliminating the need to write into the code space, the debugging process is 
simplified (there is no need to set up a data segment mapped to the same memory as the 
code segment) and breakpoints can be set in ROM-based software. In addition, break- 
points can be set on reads and writes to data which allows real-time monitoring of 
variables. 



12.1 DEBUGGING SUPPORT 

The features of the Intel386™ architecture which support debugging are: 
Reserved debug interrupt vector 

Specifies a procedure or task to be called when an event for the debugger occurs. 
Debug address registers 

Specifies the addresses of up to four breakpoints. 
Debug control register 

Specifies the forms of memory access for the breakpoints. 
Debug status register 

Reports conditions which were in effect at the time of the exception, 
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Trap bit of TSS (T-bit) 

Generates a debug exception when an attempt is made to perform a task switch to a 
task with this bit set in its TSS. 

Resume flag (RT) 

Suppresses muhiple exceptions to the same instruction. 
Trap flag (TF) 

Generates a debug exception after every execution of an instruction. 

Breakpoint instruction 

Calls the debugger (generates a debug exception). This instruction is an alternative 
way to set code breakpoints. It is especially useful when more than four breakpoints 
are desired, or when breakpoints are being placed in the source code. 

Reserved interrupt vector for breakpoint exception 

Calls a procedure or task when a breakpoint instruction is executed. 

These features allow a debugger to be called either as a separate task or as a procedure 
in the context of the current task. The following conditions can be used to call the 
debugger: 

• Task switch to a specific task. 

• Execution of the breakpoint instruction. 

• Execution of any instruction. 

• Execution of an instruction at a specified address. 

• Read or write of a byte, word, or doubleword at a specified address. 

• Write to a byte, word, or doubleword at a specified address. 

• Attempt to change the contents of a debug register. 

12.2 DEBUG REGISTERS 

Six registers are used to control debugging. These registers are accessed by forms of the 
MOV instruction. A debug register may be the source or destination operand for one of 
these instructions. The debug registers are privileged resources; the MOV instructions 
which access them may be executed only at privilege level 0. An attempt to read or write 
the debug registers from any other privilege level generates a general-protection excep- 
tion. Figure 12-1 shows the format of the debug registers. 
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DEBUG REGISTERS 
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Figure 12-1. Debug Registers 

12.2.1 Debug Address Registers (DR0-DR3) 

Each of these registers holds the Hnear address for one of the four breakpoints. If paging 
is enabled, these addresses are translated to physical addresses by the paging algorithm. 
Each breakpoint condition is specified further by the contents of the DR7 register. 

12.2.2 Debug Control Register (DR7) 

The debug control register shown in Figure 12-1 specifies the sort of memory access 
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associated with each breakpoint. Each address in registers DRO to DR3 corresponds to a 
field RAVO to RAV3 in the DR7 register. The processor interprets these bits as follows: 

00 — Break on instruction execution only 

01 — Break on data writes only 

10 — undefined 

11 — Break on data reads or writes but not instruction fetches 

The LENO to LEN3 fields in the DR7 register specify the size of the breakpointed 
location in memory. A size of 1, 2, or 4 bytes may be specified. The length fields are 
interpreted as follows: 

00 — one-byte length 

01 — two-byte length 
10— undefined 

11 — four-byte length 

If RWn is 00 (instruction execution), then LENn should also be 00. The effect of using 
any other length is undefined. 

The low eight bits of the DR7 register (fields LO to L3 and GO to G3) individually enable 
the four address breakpoint conditions. There are two levels of enabling: the local (LO 
through L3) and global (GO through G3) levels. The local enable bits are automatically 
cleared by the processor on every task switch to avoid unwanted breakpoint conditions in 
the new task. They are used to breakpoint conditions in a single task. The global enable 
bits are not cleared by a task switch. They are used to enable breakpoint conditions 
which apply to all tasks. 

The LE and GE bits control the "exact data breakpoint match" mode of the debugging 
mechanism. If either the LE or GE bit is set, the processor slows execution so that data 
breakpoints are reported for the instruction which triggered the breakpoint, rather than 
the next instruction to execute. One of these bits should be set when data breakpoints 
are used. The processor clears the LE bit at a task switch, but it does not clear the 
GE bit. 



12.2.3 Debug Status Register (DR6) 

The debug status register shown in Figure 12-1 reports conditions sampled at the time 
the debug exception was generated. Among other information, it reports which break- 
point triggered the exception. 

When an enabled breakpoint generates a debug exception, it loads the low four bits of 
this register (BO through B3) before entering the debug exception handler. The B bit is 
set if the condition described by the DR, LEN, and RAV bits is true, even if the break- 
point is not enabled by the L and G bits. The processor sets the B bits for all breakpoints 
which match the conditions present at the time the debug exception is generated, 
whether or not they are enabled. 
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The BT bit is associated with the T bit (debug trap bit) of the TSS (see Chapter 6 for the 
format of a TSS). The processor sets the BT bit before entering the debug handler if a 
task switch has occurred to a task with a set T bit in its TSS. There is no bit in the DR7 
register to enable or disable this exception; the T bit of the TSS is the only enabling bit. 

The BS bit is associated with the TF flag. The BS bit is set if the debug exception was 
triggered by the single-step execution mode (TF flag set). The single-step mode is the 
highest-priority debug exception; when the BS bit is set, any of the other debug status 
bits also may be set. 

The BD bit is set if the next instruction will read or write one of the eight debug registers 
while they are being used by in-circuit emulation. 

Note that the contents of the DR6 register are never cleared by the processor. To avoid 
any confusion in identifying debug exceptions, the debug handler should clear the regis- 
ter before returning. 



12.2.4 Breakpoint Field Recognition 

The address and LEN bits for each of the four breakpoint conditions define a range of 
sequential byte addresses for a data breakpoint. The LEN bits permit specification of a 
one-, two-, or four-byte range. Two-byte ranges must be aligned on word boundaries 
(addresses which are multiples of two) and four-byte ranges must be aligned on double- 
word boundaries (addresses which are multiples of four). These requirements are en- 
forced by the processor; it uses the LEN bits to mask the lower address bits in the debug 
registers. Unaligned code or data breakpoint addresses do not yield the expected results. 

A data breakpoint for reading or writing is triggered if any of the bytes participating in a 
memory access is within the range defined by a breakpoint address register and its LEN 
bits. Table 12-1 gives some examples of combinations of addresses and fields with mem- 
ory references which do and do not cause traps. 

A data breakpoint for an unaligned operand can be made from two sets of entries in the 
breakpoint registers where each entry is byte-aligned, and the two entries together cover 
the operand. This breakpoint generates exceptions only for the operand, not for any 
neighboring bytes. 

Instruction breakpoint addresses must have a length specification of one byte (LEN = 
00); the behavior of code breakpoints for other operand sizes is undefined. The proces- 
sor recognizes an instruction breakpoint address only when it points to the first byte of 
an instruction. If the instruction has any prefixes, the breakpoint address must point to 
the first prefix. 
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Table 12-1. Breakpointing Examples 



Comment 


Address (hex) 


Length (in bytes) 


Register Contents 
Register Contents 
Register Contents 
Register Contents 


DRO 
DR1 
DR2 
DR3 


A0001 
A0002 
B0002 
COOOO 


1 (LENO = 00) 

1 (LENO = 00) 

2 (LENO = 01) 
4 (LENO = 11) 


Memory Operations Which Trap 


A0001 
A0002 
A0001 
A0002 
B0002 
B0001 
COOOO 
C0001 
00003 


1 
1 
2 
2 
2 
4 
4 
2 
1 


Memory Operations Which Don't Trap 




AOOOO 
A0003 
BOOOO 
C0004 


1 
4 
2 
4 



12.3 DEBUG EXCEPTIONS 



Two of the interrupt vectors of the 386 DX microprocessor are reserved for debug 
exceptions. The debug exception is the usual v^ay to invoke debuggers designed for the 
386 DX microprocessor; the breakpoint exception is intended for putting breakpoints in 
debuggers. 



1 2.3.1 interrupt 1 - Debug Exceptions 



The handler for this exception usually is a debugger or part of a debugging system. The 
processor generates a debug exception for any of several conditions. The debugger can 
check flags in the DR6 and DRV registers to determine which condition caused the 
exception and which other conditions also might apply. Table 12-2 shows the states of 
these bits for each kind of breakpoint condition. 



Table 12-2. Debug Exception Conditions 


Flags Tested 


Description 


BS = 1 


Single-step trap 


BO = 1 and (GEO = 1 or LEO = 1) 


Breakpoint defined by DRO, LENO, and R/WO 


B1 = 1 and(GE1 = 1 or LE1 = 1) 


Breakpoint defined by DR1, LEN1, and R/W1 


B2 = 1 and (GE2 = 1 or LE2 = 1) 


Breakpoint defined by DR2, LEN2, and R/W2 


B3 = 1 and (GE3 = 1 or LE3 = 1) 


Breakpoint defined by DR3, LEN3, and R/W3 


BD = 1 


Debug registers in use for in-circuit emulation 


BT = 1 


Task switch 
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Instruction breakpoints are faults; other debug exceptions are traps. The debug excep- 
tion may report either or both at one time. The following sections present details for 
each class of debug exception. 

12.3.1.1 INSTRUCTION-BREAKPOINT FAULT 

The processor reports an instruction breakpoint before it executes the breakpointed 
instruction (i.e., a debug exception caused by an instruction breakpoint is a fault). 

The RF flag permits the debug exception handler to restart instructions which cause 
faults other than debug faults. When one of these faults occurs, the system software 
writer must set the RF bit in the copy of the EFLAGS register which is pushed on the 
stack in the debug exception handler routine. This bit is set in preparation of resuming 
the program's execution at the breakpoint address without generating another break- 
point fault on the same instruction. (Note: the RF bit does not cause breakpoint traps or 
other kinds of faults to be ignored.) 

The processor clears the RF flag at the successful completion of every instruction except 
after the IRET instruction, the POPF instruction, and JMP, CALL, or INT instructions 
which cause a task switch. These instructions set the RF flag to the value specified by the 
the saved copy of the EFLAGS register. 

The processor sets the RF flag in the copy of the EFLAGS register pushed on the stack 
before entry into any fault handler. When the fault handler is entered for instruction 
breakpoints, for example, the RF flag is set in the copy of the EFLAGS register pushed 
on the stack; therefore, the IRET instruction which returns control from the exception 
handler will set the RF flag in the EFLAGS register, and execution will resume at 
the breakpointed instruction without generating another breakpoint for the same 
instruction. 

If, after a debug fault, the RF flag is set and the debug handler retries the faulting 
instruction, it is possible that retrying the instruction will generate other faults. The 
restart of the instruction after these faults also occurs with the RF flag set, so repeated 
debug faults continue to be suppressed. The processor clears the RF flag only after 
successful completion of the instruction. 

12.3.1.2 DATA-BREAKPOINT TRAP 

A data-breakpoint exception is a trap; i.e., the processor generates an exception for a 
data breakpoint after executing the instruction which accesses the breakpointed memory 
location. 

When using data breakpoints, it is recommended either the LE or GE bits of the DR7 
register also be set. If either the LE or GE bits are set, any data breakpoint trap is 
reported immediately after completion of the instruction which accessed the break- 
pointed memory location. This immediate reporting is done by forcing the 386 DX 
microprocessor execution unit to wait for completion of data operand transfers before 
beginning execution of the next instruction. If neither bit is set, data breakpoints may not 
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be generated until one instruction after the data is accessed, or they may not be gener- 
ated at all. This is because instruction execution normally is overlapped with memory 
transfers. Execution of the next instruction may begin before the memory operations of 
the previous instruction are completed. 

If a debugger needs to save the contents of a write breakpoint location, it should save 
the original contents before setting the breakpoint. Because data breakpoints are traps, 
the original data is overwritten before the trap exception is generated. The handler can 
report the saved value after the breakpoint is triggered. The data in the debug registers 
can be used to address the new value stored by the instruction which triggered the 
breakpoint. 

12.3.1.3 GENERAL-DETECT FAULT 

The general-detect fault occurs when an attempt is made to use the debug registers at 
the same time they are being used by in-circuit emulation. This additional protection 
feature is provided to guarantee emulators can have full control over the debug registers 
when required. The exception handler can detect this condition by checking the state of 
the BD bit of the DR6 register. 

12.3.1.4 SINGLE-STEP TRAP 

This trap occurs after an instruction is executed if the TF flag was set before the instruc- 
tion was executed. Note the exception does not occur after an instruction which sets the 
TF flag. For example, if the POPF instruction is used to set the TF flag, a single-step 
trap does not occur until after the instruction following the POPF instruction. 

The processor clears the TF flag before calling the exception handler. If the TF flag was 
set in a TSS at the time of a task switch, the exception occurs after the first instruction is 
executed in the new task. 

The single-step flag normally is not cleared by privilege changes inside a task. The INT 
instructions, however, do clear the TF flag. Therefore, software debuggers which single- 
step code must recognize and emulate INTn or INTO instructions rather than executing 
them directly. 

To maintain protection, the operating system should check the current execution privi- 
lege level after any single-step trap to see if single stepping should continue at the 
current privilege level. 

The interrupt priorities guarantee that if an external interrupt occurs, single stepping 
stops. When both an external interrupt and a single step interrupt occur together, the 
single step interrupt is processed first. This clears the TF flag. After saving the return 
address or switching tasks, the external interrupt input is examined before the first 
instruction of the single step handler executes. If the external interrupt is still pending, 
then it is serviced. The external interrupt handler does not run in single-step mode. To 
single step an interrupt handler, single step an INTn instruction which calls the interrupt 
handler. 

12-8 



intei' 



DEBUGGING 



12.3.1.5 TASK-SWITCH TRAP 

The debug exception also occurs after a task switch if the T bit of the new task's TSS is 
set. The exception occurs after control has passed to the new task, but before the first 
instruction of that task is executed. The exception handler can detect this condition by 
examining the BT bit of the DR6 register. 

Note that if the debug exception handler is a task, the T bit of its TSS should not be set. 
Failure to observe this rule will put the processor in a loop. 

12.3.2 Interrupt 3 -Breakpoint Instruction 

The breakpoint trap is caused by execution of the INT 3 instruction. Typically, a debug- 
ger prepares a breakpoint by replacing the first opcode byte of an instruction with the 
opcode for the breakpoint instruction. When execution of the INT 3 instruction calls the 
exception handler, the return address points to the first byte of the instruction following 
the INT 3 instruction. 

With older processors, this feature is used extensively for setting instruction breakpoints. 
With the 386 DX microprocessor, this use is more easily handled using the debug regis- 
ters. However, the breakpoint exception still is useful for breakpointing debuggers, 
because the breakpoint exception can call an exception handler other than itself. The 
breakpoint exception also can be useful when it is necessary to set a greater number of 
breakpoints than permitted by the debug registers, or when breakpoints are being placed 
in the source code of a program under development. 
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CHAPTER 13 
EXECUTING 80286 PROGRAMS 

In general, programs written for protected mode on an 80286 processor run without 
modification on the 386™ DX microprocessor, because the features of the 80286 proces- 
sor are an object-code compatible subset of those of the 386 DX microprocessor. The 
Default bit in segment descriptors indicates whether the processor is to treat a code, 
data, or stack segment as an 80286 or 386 DX CPU segment. 

The segment descriptors used by the 80286 processor are supported by the 386 DX 
microprocessor if the Intel®-reserved word (highest word) of the descriptor is clear. On 
the 386 DX microprocessor, this word includes the upper bits of the base address and 
the segment limit. 

The segment descriptors for data segments, code segments, local descriptor tables (there 
are no descriptors for global descriptor tables), and task gates are the same for both the 
80286 and 386 DX microprocessors. Other 80286 descriptors, TSS segment, call gate, 
interrupt gate, and trap gate, are supported by the 386 DX microprocessor. The 386 DX 
microprocessor also has new versions of descriptors for TSS segment, call gate, interrupt 
gate, and trap gate which support the 32-bit architecture of the 386 DX microprocessor. 
Both kinds of descriptors can be used in the same system. 

For those segment descriptors common to both the 80286 and 386 DX microprocessors, 
clear bits in the reserved word cause the 386 DX microprocessor to interpret these 
descriptors exactly as the 80286 processor does; for example: 

Base Address The upper eight bits of the 32-bit base address are clear, which limits 
base addresses to 24 bits. 

Limit The upper four bits of the limit field are clear, restricting the value of 

the limit field to 64K bytes. 

Granularity bit The Granularity bit is clear, indicating the value of the 16-bit limit is 
interpreted in units of 1 byte. 

Big bit In a data-segment descriptor, the B bit is clear, indicating the segment 

is no larger than 64 Kbytes. 

Default bit In an code-segment descriptor, the D bit is clear, indicating 16-bit 

addressing and operands are the default. In a stack-segment descrip- 
tor, the D bit is clear, indicating use of the SP register (instead of the 
ESP register) and a 64K byte maximum segment limit. 

For formats of these descriptors and documentation of their use see the iAPX 80286 
Programmer's Reference Manual. 
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13.1 TWO WAYS TO RUN 80286 TASKS 

When porting 80286 programs to the 386 DX microprocessor, there are two approaches 
to consider: 

1. Porting an entire 80286 software system to the 386 DX microprocessor, complete 
with the old operating system, loader, and system builder. 

In this case, all tasks will have 80286 TSSs. The 386 DX microprocessor is being 
used as if it were a faster version of the 80286 processor. 

2. Porting selected 80286 applications to run in a 386 DX microprocessor environment 
with a 386 DX microprocessor operating system, loader, and system builder. 

In this case, the TSSs used to represent 80286 tasks should be changed to 386 DX 
processor TSSs. It is possible to mix 80286 and 386 DX processor TSSs, but the 
benefits are small and the problems are great. All tasks in a 386 DX microprocessor 
software system should have 386 DX processor TSSs. It is not necessary to change 
the 80286 object modules theriiselves; TSSs are usually constructed by the operating 
system, by the loader, or by the system builder. See Chapter 16 for more discussion 
of the interface between 16-bit and 32-bit code. 

13.2 DIFFERENCES FROM 80286 PROCESSOR 

The few differences between the 80286 and 386 DX microprocessors affect operating 
systems more than application programs. 

13.2.1 Wraparound of 80286 Processor 24-Bit Physical Address Space 

With the 80286 processor, any base and offset combination which addresses beyond 16 
megabytes wraps around to the first megabyte of the address space. With the 386 DX 
microprocessor, because it has a greater physical address space, any such address maps 
to the 17th megabyte. In the unlikely event that any software depends on address wrap- 
around, the same effect can be simulated on the 386 DX microprocessor by using paging 
to map the first 64K bytes past the top of the 16 megabyte address space to the bottom 
64K bytes of the segment. 

13.2.2 Reserved Word of Segment Descriptor 

Because the 386 DX microprocessor uses the contents of the reserved word of 80286 
segment descriptors, 80286 programs which place values in this word may not run cor- 
rectly on the 386 DX microprocessor. 

13.2.3 New Segment Descriptor Type Codes 

Operating-system code which manages space in descriptor tables often uses an invalid 
value in the access-rights field of descriptor-table entries to identify unused entries. 
Access rights values of 80H and OOH remain invalid for both the 80286 and 386 DX 
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microprocessors. Other values which were invahd on the 80286 processor may be vaHd 
on the 386 DX microprocessor because uses for these bits are defined for the 386 DX 
microprocessor. 

13.2.4 Restricted Semantics of LOCK Prefix 

The 80286 processor performs the bus lock function differently than the 386 DX micro- 
processor. Programs which use forms of memory locking specific to the 80286 processor 
may not run properly when run on the 386 DX microprocessor. 

The LOCK prefix and its bus signal only should be used to prevent other bus masters 
from interrupting a data movement operation. The LOCK prefix only may be used with 
the following 386 DX microprocessor instructions when they modify memory. An 
invalid-opcode exception results from using the LOCK prefix before any other instruc- 
tion, or with these instructions when no write operation is made to memory (i.e., when 
the destination operand is in a register). 

• Bit test and change: the BTS, BTR, and BTC instructions. 

• Exchange: the XCHG instruction. 

• One-operand arithmetic and logical: the INC, DEC, NOT, NEG instructions. 

• Two-operand arithmetic and logical: the ADD, ADC, SUB, SBB, AND, OR, and 
XOR instructions. 

A locked instruction is guaranteed to lock only the area of memory defined by the 
destination operand, but may lock a larger memory area. For example, typical 8086 and 
80286 processor configurations lock the entire physical memory space. 

On the 80286 processor, the LOCK prefix is sensitive to lOPL; if CPL is less privileged 
than the lOPL, a general protection exception is generated. On the 386 DX micro- 
processor, no check against lOPL is performed. 

13.2.5 Additional Exceptions 

The 386 DX microprocessor defines new exceptions which can occur even in systems 
designed for the 80286 processor. 

• Exception #6 — invalid opcode 

This exception can result from improper use of the LOCK instruction prefix. 

o Exception #14 — page fault 

This exception may occur in an 80286 program if the operating system enables paging. 
Paging can be used in a system with 80286 tasks if all tasks use the same page direc- 
tory. Because there is no place in an 80286 TSS to store the PDBR register, switching 
to an 80286 task does not change the value of the PDBR register. Tasks ported from 
the 80286 processor should be given 386 DX processor's TSSs so they can make full 
use of paging. 
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CHAPTER 14 
386'" DX MICROPROCESSOR REAL-ADDRESS MODE 

The real-address mode of the 386™ DX microprocessor runs programs written for the 
8086, 8088, 80186, or 80188 processors, or for the real-address mode of an 80286 
processor. 

The architecture of the 386 DX microprocessor in this mode is almost identical to that of 
the 8086, 8088, 80186, and 80188 processors. To a programmer, a 386 DX microproces- 
sor in real-address mode appears as a high-speed 8086 processor with extensions to the 
instruction set and registers. The principal features of this architecture are defined in 
Chapters 2 and 3. 

This chapter discusses certain additional topics which complete the system programmer's 
view of the 386 DX microprocessor in real-address mode: 

o Address formation. 

• Extensions to registers and instructions. 

• Interrupt and exception handling. 

• Entering and leaving real-address mode. 

• Real-address mode exceptions. 

9 Differences from 8086 processor. 

• Differences from 80286 processor in real-address mode. 

14.1 ADDRESS TRANSLATION 

In real-address mode, the 386 DX microprocessor does not interpret 8086 selectors by 
referring to descriptors; instead, it forms Hnear addresses as an 8086 processor would. It 
shifts the selector left by four bits to form a 20-bit base address. The effective address is 
extended with four clear bits in the upper bit positions and added to the base address to 
create a linear address, as shown in Figure 14-1. 

Because of the possibility of a carry, the resulting linear address may have as many as 21 
significant bits. An 8086 program may generate linear addresses anywhere in the range 
to lOFFEFH (1 megabyte plus approximately 64K bytes) of the linear address space. 
Because paging is not available in real-address mode, the linear address is used as the 
physical address. 

Unlike the 8086 and 80286 processors, the 386 DX microprocessor can generate 32-bit 
effective addresses using an address override prefix; however in real-address mode, the 
value of a 32-bit address may not exceed 65,535 without causing an exception. For full 
compatibility with 80286 real-address mode, pseudo-protection faults (interrupt 12 or 13 
with no error code) occur if an effective address is generated outside the range through 
65,535. 
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Figure 14-1. 8086 Address Translation 

14.2 REGISTERS AND INSTRUCTIONS 

The register set available in real-address mode includes all the registers defined for the 
8086 processor plus the new registers introduced with the 386 DX microprocessor: FS, 
GS, debug registers, control registers, and test registers. New instructions which explic- 
itly operate on the segment registers FS and GS are available, and the new segment- 
override prefixes can be used to cause instructions to use the FS and GS registers for 
address calculations. 

The instruction codes which generate invalid-opcode exceptions include instructions 
from protected mode which move or test 386 DX microprocessor segment selectors and 
segment descriptors, i.e., the VERR, VERW, LAR, LSL, LTR, STR, LLDT, and SLDT 
instructions. Programs executing in real-address mode are able to take advantage of the 
new application-oriented instructions added to the architecture with the introduction of 
the 80186, 80188, 80286, and 386 DX microprocessors: 

• New instructions introduced on the 80186, 80188, and 80286 processors. 

- PUSH immediate data 

- Push all and pop all (PUSHA and POPA) 

- Multiply immediate data 

- Shift and rotate by immediate count 

- String I/O 

- ENTER and LEAVE instructions 

- BOUND instruction 

• New instructions introduced on the 386 DX microprocessor. 

- LSS, LFS, LGS instructions 

- Long-displacement conditional jumps 

- Single-bit instructions 
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- Bit scan instructions 

- Double-shift instructions 

- Byte set on condition instruction 

- Move with sign/zero extension 

- GeneraHzed multiply instruction 

- MOV to and from control registers 

- MOV to and from test registers 

- MOV to and from debug registers 

14.3 INTERRUPT AND EXCEPTION HANDLING 

Interrupts and exceptions in 386 DX microprocessor real-address mode work much as 
they do on an 8086 processor. Interrupts and exceptions call interrupt procedures 
through an interrupt table. The processor scales the interrupt or exception identifier by 
four to obtain an index into the interrupt table. The entries of the interrupt table are far 
pointers to the entry points of interrupt or exception handler procedures. When an 
interrupt occurs, the processor pushes the current values of the CS and IP registers onto 
the stack, disables interrupts, clears the TF flag, and transfers control to the location 
specified in the interrupt table. An IRET instruction at the end of the handler proce- 
dure reverses these steps before returning control to the interrupted procedure. Excep- 
tions do not return error codes in real-address mode. 

The primary difference in the interrupt handling of the 386 DX microprocessor com- 
pared to the 8086 processor is the location and size of the interrupt table depend on the 
contents of the IDTR register. Ordinarily, this fact is not apparent to programmers, 
because, after reset initialization, the IDTR register contains a base address of and a 
limit of 3FFH, which is compatible with the 8086 processor. However, the LIDT instruc- 
tion can be used in real-address mode to change the base and limit values in the IDTR 
register. See Chapter 9 for details on the IDTR register, and the LIDT and SIDT in- 
structions. If an interrupt occurs and its entry in the interrupt table is beyond the limit 
stored in the IDTR register, a double-fault exception is generated. 

14.4 ENTERING AND LEAVING REAL-ADDRESS MODE 

Real-address mode is in effect after reset initialization. Even if the system is going to run 
in protected mode, the start-up program runs in real-address mode while preparing to 
switch to protected mode. 

14.4.1 Switching to Protected Mode 

The only way to leave real-address mode is to switch to protected mode. The processor 
enters protected mode when a MOV to CRO instruction sets the PE (protection enable) 
bit in the CRO register. (For compatibility with the 80286 processor, the LMSW instruc- 
tion also may be used to set the PE bit.) 
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See Chapter 10 "Initialization" for other aspects of switching to protected mode. 

14.5 SWITCHING BACK TO REAL-ADDRESS MODE 

The processor re-enters real-address mode if software clears the PE bit in the CRO 
register with a MOV CRO instruction (for compatibility with the 80286 processor, the 
LMSW instruction can set the PE bit, but cannot clear it). A procedure which re-enters 
real-address mode should proceed as follows: 

1. If paging is enabled, perform the following sequence: 

• Transfer control to linear addresses which have an identity mapping; i.e., linear 
addresses equal physical addresses. 

• Clear the PG bit in the CRO register. 

• Move a into the CR3 register to flush the TLB. 

2. Transfer control to a segment which has a limit of 64K (OFFFFH). This loads the CS 
register with the segment limit it needs to have in real mode. 

3. Load segment registers SS, DS, ES, FS, and GS with a selector for a descriptor 
containing the following values, which are appropriate for real mode: 

• Limit - 64K (OFFFFH) 

• Byte granular (G = 0) 

• Expand up (E = 0) 

• Writable (W = 1) 

• Present (P = 1) 

• Base = any value 

Note that if the segment registers are not reloaded, execution continues using the 
descriptors loaded during protected mode. 

4. Disable interrupts. A CLI instruction disables INTR interrupts. NMI interrupts can 
be disabled with external circuitry. 

5. Clear the PE bit in the CRO register. 

6. Jump to the real mode program using a far JMP instruction. This flushes the instruc- 
tion queue and puts appropriate values in the access rights of the CS register. 

7. Use the LIDT instruction to load the base and limit of the real-mode interrupt 
vector table. 

8. Enable interrupts. 

9. Load the segment registers as needed by the real-mode code. 

14.6 REAL-ADDRESS MODE EXCEPTIONS 

The 386 DX microprocessor reports some exceptions differently when executing in real- 
address mode than when executing in protected mode. Table 14-1 details the real- 
address-mode exceptions. 
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Table 14-1. Exceptions and Interrupts 









Does the Return Address 


Description 


Vector 


Source of the 
Exception 


Point to the Instruction Which 
Caused the Exception? 


Divide Error 





DIV and IDIV instructions 


yes 


Debug 


1 


any 


1 


Breakpoint 


3 


INT instruction 


no 


Overflow 


4 


INTO instruction 


no 


Bounds Check 


5 


BOUND instruction 


yes 


Invalid Opcode 


6 


reserved opcodes 
and improper use of 
LOCK prefix 


yes 


Coprocessor Not 


7 


ESC or WAIT 


yes 


Available 








IDT limit too small 


8 


any 


yes 


Reserved 


9 to 11 






Stack Exception 


12 


stack operation 
crosses address 
limit 


yes 


Protection 


13 


operand crosses 
address limit, 
instruction crosses 
address limit, or 
instruction exceeds 
15 bytes 


yes 


Reserved 


14 and 15 






Coprocessor Error 


16 


ESC or WAIT 
instructions 


yes^ 


Software Interrupt 


to 255 


INT n instructions 


no 



1 . Some debug exceptions point to the faulting instruction, others point to the following instruction. The 
exception handler can test the DR6 register to determine which has occurred. 

2. Coprocessor errors are reported on the first ESC or WAIT instruction after the ESC instruction which 
generated the error. 

14.7 DIFFERENCES FROM 8086 PROCESSOR 

In general, the 386 DX microprocessor in real-address mode will correctly run ROM- 
based software designed for the 8086, 8088, 80186, and 80188 processors. Following is a 
list of the minor differences between program execution on the 8086 and 386 DX 
microprocessors. 

1. Instruction clock counts. 

The 386 DX microprocessor takes fewer clocks for most instructions than the 8086 
processor. The areas most likely to be affected are: 

• Delays required by I/O devices between I/O operations. 

• Assumed delays with 8086 processor operating in parallel with an 8087. 

2. Divide-error exceptions point to the DIV instruction. 

Divide-error exceptions on the 386 DX microprocessor always leave the saved CS:IP 
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value pointing to the instruction which failed. On the 8086 processor, the CS:IP 
value points to the next instruction. 

3. Undefined 8086 processor opcodes. 

Opcodes which were not defined for the 8086 processor generate an invalid-opcode 
exception or execute one of the new instructions introduced with the 80286 or 386 
DX microprocessors. 

4. Value written by PUSH SP. 

The 386 DX microprocessor pushes a different value on the stack for a PUSH SP 
instruction than the 8086 processor. The 386 DX microprocessor pushes the value of 
the SP register before it is incremented as part of the push operation; the 8086 
processor pushes the value of the SP register after it is incremented. If the value 
pushed is important, replace PUSH SP instructions with the following three 
instructions: 

PUSH BP 

nov BP, SP 

XCHG BP, [BP] 

This code functions as the 8086 processor PUSH SP instruction on the 386 DX 
microprocessor. 

5. Shift or rotate by more than 31 bits. 

The 386 DX microprocessor masks all shift and rotate counts to the lowest five bits. 
This MOD 32 operation limits the count to a maximum of 31 bits, which limits the 
amount of time that interrupt response may be delayed while the instruction is 
executing. 

6. Redundant prefixes. 

The 386 DX microprocessor sets a limit of 15 bytes on instruction length. The only 
way to violate this limit is by putting redundant prefixes before an instruction. A 
general-protection exception is generated if the limit on instruction length is vio- 
lated. The 8086 processor has no instruction length limit. 

7. Operand crossing offset or 65,535. 

On the 8086 processor, an attempt to access a memory operand which crosses offset 
65,535 (e.g., MOV a word to offset 65,535) or offset (e.g., PUSH a word when SP 
= 1) causes the offset to wrap around modulo 65,536. The 386 DX microprocessor 
generates an exception in these cases: a general-protection exception if the segment 
is a data segment (i.e., if the CS, DS, ES, FS, or GS register is being used to address 
the segment) or a stack exception if the segment is a stack segment (i.e., if the SS 
register is being used). 

8. Sequential execution across offset 65,535. 

On the 8086 processor, if sequential execution of instructions proceeds past offset 
65,535, the processor fetches the next instruction byte from offset of the same 
segment. On the 386 DX microprocessor, the processor generates a general- 
protection exception in such a case. 
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9. LOCK is restricted to certain instructions. 

The LOCK prefix and its output signal should only be used to prevent other bus 
masters from interrupting a data movement operation. The LOCK prefix only may 
be used with the following 386 DX microprocessors instructions when they modify 
memory. An invalid-opcode exception results from using LOCK before any other 
instruction, or with these instructions when no write operation is made to memory. 

• Bit test and change: the BTS, BTR, and BTC instructions. 

• Exchange: the XCHG instruction. 

• One-operand arithmetic and logical: the INC, DEC, NOT, NEG instructions. 

• Two-operand arithmetic and logical: the ADD, ADC, SUB, SBB, AND, OR, and 
XOR instructions. 

10. Single-stepping external interrupt handlers. 

The priority of the 386 DX microprocessor single-step exception is different from 
the 8086 processor. The change prevents an external interrupt handler from being 
single-stepped if the interrupt occurs while a program is being single-stepped. The 
386 DX microprocessor single-step exception has higher priority than any external 
interrupt. The 386 DX microprocessor still may single-step through an interrupt 
handler called by the INT instructions or by an exception. 

n. IDIV exceptions for quotients of 80H or 8000H. 

The 386 DX microprocessor can generate the largest negative number as a quotient 
for the IDIV instruction. The 8086 processor generates a divide-error exception 
instead. 

12. Flags in stack. 

The setting of the flags stored by the PUSHF instruction, by interrupts, and by 
exceptions is different from that stored by the 8086 processor in bit positions 12 
through 15. On the 8086 processor these bits are set, but in the 386 DX real-address 
mode, bit 15 is always clear, and bits 14 through 12 have the last value loaded into 
them. 

13. NMI interrupting NMI handlers. 

After an NMI interrupt is recognized by the 386 DX microprocessor, the NMI 
interrupt is masked until an IRET instruction is executed. 

14. Coprocessor errors call the coprocessor-error exception. 

Any 386 DX microprocessor with a coprocessor must use the coprocessor-error ex- 
ception. If an 8086 processor uses another exception for the 8087 interrupt, both 
exception vectors should call the coprocessor-error exception handler. 

15. Numeric exception handlers should allow prefixes. 

On the 386 DX microprocessor, the value of the CS and IP registers saved for 
coprocessor-error exceptions points at any prefixes which come before the ESC in- 
struction. On the 8086 processor, the saved CS:IP points to the ESC instruction. 
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16. Coprocessor does not use interrupt controller. 

The coprocessor-error signal to the 386 DX microprocessor does not pass through 
an interrupt controller (an INT signal from 8087 coprocessor does). Some instruc- 
tions in a coprocessor-error exception handler may need to be deleted if they use 
the interrupt controller. 

17. One megabyte wraparound. 

The address space of the 386 DX microprocessor does not wraparound at 1 mega- 
byte in real-address mode. On members of the 8086 family, it is possible to specify 
addresses greater than 1 megabyte. For example, with a selector value OFFFFH and 
an offset of OFFFFH, the effective address would be lOFFEFH (1 megabyte + 
65519 bytes). The 8086 processor, which can form addresses up to 20 bits long, 
truncates the uppermost bit, which "wraps" this address to OFFEFH. However, the 
386 DX microprocessor, which can form addresses up to 32 bits long, does not 
truncate this bit. 

18. Response to bus hold. 

Unlike the 8086 and 80286 processors, the 386 DX microprocessor responds to re- 
quests for control of the bus from other potential bus masters, such as DMA con- 
trollers, between transfers of parts of an unaligned operand, such as two bytes which 
form a word. 

19. Interrupt vector table limit. 

The LIDT instruction can be used to set a limit on the size of the interrupt vector 
table. Shutdown occurs if an interrupt or exception attempts to read a vector beyond 
the limit. (The 8086 processor does not have a shutdown mode.) 

20. If a stack operation wraps around the address limit, shutdown occurs. (The 8086 
processor does not have a shutdown mode.) 

21. Six new interrupt vectors. 

The 386 DX microprocessor adds six exceptions which are generated on an 8086 
processor only by program bugs. Exception handlers should be added which treat 
these exceptions as invalid operations. This additional software does not signifi- 
cantly affect the existing 8086 processor software, because these interrupts do not 
occur normally. These interrupt identifiers should not be used by 8086 software, 
because they are reserved by Intel®. Table 14-2 describes the new 386 DX micro- 
processor exceptions. 



14.8 DIFFERENCES FROM 80286 REAL-ADDRESS MODE 



The few differences which exist between 386 DX microprocessor real-address mode and 
80286 real-address mode are not likely to affect any existing 80286 programs except 
possibly the system initialization procedures. 
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Table 14-2. New 386™ DX Microprocessor Exceptions 



Vector 



Description 



12 
13 



A BOUND instruction was executed with a register value outside the limit values. 
A reserved opcode was encountered, or a LOCK prefix was used improperly. 
The EM bit in the CRO register was set when an ESC instruction executed, or the TS 
bit was set when a WAIT instruction was executed. 

A vector indexes to an entry In the IDT which is beyond the segment limit for the 
IDT. This can only occur if the default limit has been changed. 
A stack operation crossed the address limit. 

An operation (other than a stack operation) exceeds the base or bounds of a seg- 
ment, instruction execution is crossing the address limit (OFFFFH), or an instruction 
exceeds 1 5 bytes. 



14.8.1 Bus Lock 

The 80286 processor implements the bus lock function differently than the 386 DX 
microprocessor. Programs which use forms of memory locking specific to the 80286 pro- 
cessor may not run properly if transported to a specific application of the 386 DX 
microprocessor. 

The LOCK prefix and its bus signal only should be used to prevent other bus masters 
from interrupting a data movement operation. The LOCK prefix only may be used with 
the following 386 DX microprocessor instructions when they modify memory. An 
invalid-opcode exception results from using the LOCK prefix before any other instruc- 
tion, or with these instructions when no write operation is made to memory (i.e., when 
the destination operand is in a register). 

• Bit test and change: the BTS, BTR, and BTC instructions. 

• Exchange: the XCHG instruction. 

• One-operand arithmetic and logical: the INC, DEC, NOT, NEG instructions. 

• Two-operand arithmetic and logical: the ADD, ADC, SUB, SBB, AND, OR, and 
XOR instructions. 

A locked instruction is guaranteed to lock only the area of memory defined by the 
destination operand, but may lock a larger memory area. For example, typical 8086 and 
80286 configurations lock the entire physical memory space. 



14.8.2 Location of First Instruction 

The starting location is OFFFFFFFOH (16 bytes from end of the 32-bit address space) on 
the 386 DX microprocessor rather than OFFFFFOH (16 bytes from end of the 24-bit 
address space) as on the 80286 processor. Many 80286 ROM initialization programs will 
work correctly in this new environment. Others can be made to work correctly with 
external hardware to interpret the signals or the address signals A31.20. 
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14.8.3 Initial Values of General Registers 

On the 386 DX microprocessor, certain general registers may contain different values 
after reset initialization than on the 80286 processor. This should not cause compatibility 
problems, because the contents of 8086 registers after reset initialization are undefined. 
If self-test is requested during the reset sequence and errors are detected in the 386 DX 
microprocessor, the EAX register will contain a non-zero value. The EDX register con- 
tains the component and revision identifier. See Chapter 10 for more information. 

14.8.4 MSW Initialization 

The 80286 processor initializes the MSW register to OFFFOH, but the 386 DX micropro- 
cessor initializes this register to OOOOH. This difference should have no effect, because 
the bits which are different are reserved on the 80286 processor. Programs which read 
the value of the MSW will behave differently on the 386 DX microprocessor only if they 
depend on the setting of the undefined reserved bits. 

14.8.5 Bus Hold 

Unlike the 8086 and 80286 processors, the 386 DX microprocessor responds to requests 
for control of the bus from other potential bus masters, such as DMA controllers, be- 
tween transfers of parts of an unaligned operand, such as two words which form a 
doubleword. 
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CHAPTER 15 
VIRTUAL-8086 MODE 

The 386™ DX microprocessor supports execution of one or more 8086, 8088, 80186, or 
80188 programs in a 386 DX microprocessor protected-mode environment. An 8086 
program runs in this environment as part of a virtual-8086 task. Virtual-8086 tasks take 
advantage of the hardware support of multitasking offered by the protected mode. Not 
only can there be multiple virtual-8086 tasks, each one running an 8086 program, but 
virtual-8086 tasks can run in multitasking with other 386 DX microprocessor tasks. 

The purpose of a virtual-8086 task is to form a "virtual machine" for running programs 
written for the 8086 processor. A complete virtual machine consists of 386 DX micro- 
processor hardware and system software. The emulation of an 8086 processor is the 
result of software using hardware: 

o The hardware provides a virtual set of registers (through the TSS), a virtual memory 
space (the first megabyte of the linear address space of the task), and directly exe- 
cutes all instructions which deal with these registers and with this address space. 

• The software controls the external interfaces of the virtual machine (I/O, interrupts, 
and exceptions) in a manner consistent with the larger environment in which it runs. 
In the case of I/O, software can choose either to emulate I/O instructions or to let the 
hardware execute them directly without software intervention. 

Software which supports virtual 8086 machines is called a virtual-8086 monitor. 

15.1 EXECUTING 8086 PROCESSOR CODE 

The processor runs in virtual-8086 mode when the VM (virtual machine) bit in the 
EFLAGS register is set. The processor tests this flag under two general conditions: 

1. When loading segment registers, to know whether to use 8086-style address 
translation. 

2. When decoding instructions, to determine which instructions are sensitive to lOPL. 

Except for these two modifications to its normal operations, the 386 DX microprocessor 
in virtual-8086 mode operates similarly to protected mode. 

15.1.1 Registers and Instructions 

The register set available in virtual-8086 mode includes all the registers defined for the 
8086 processor plus the new registers introduced by the 386 DX microprocessor: FS, GS, 
debug registers, control registers, and test registers. New instructions which explicitly 
operate on the segment registers FS and GS are available, and the new segment-override 
prefixes can be used to cause instructions to use the FS and GS registers for address 
calculations. Instructions can use 32-bit operands through the use of the operand size 
prefix. 
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Programs running as virtual-8086 tasks can take advantage of the new application- 
oriented instructions added to the architecture by the introduction of the 80186, 80188, 
80286 and 386 DX microprocessors: 

• New instructions introduced on the 80186, 80188, and 80286 processors. 

- PUSH immediate data 

- Push all and pop all (PUSHA and POPA) 

- Multiply immediate data 

- Shift and rotate by immediate count 

- String I/O 

- ENTER and LEAVE instruction 

- BOUND instruction 

• New instructions introduced on the 386 DX microprocessor. 

- LSS, LPS, LGS instructions 

- Long-displacement conditional jumps 

- Single-bit instructions 

- Bit scan instructions 

- Double-shift instructions 

- Byte set on condition instruction 

- Move with sign/zero extension 

- Generalized multiply instruction 

- MOV to and from control registers 

- MOV to and from test registers 

- MOV to and from debug registers 

1 5.1 .2 Address Translation 

In virtual-8086 mode, the 386 DX microprocessor does not interpret 8086 selectors by 
referring to descriptors; instead, it forms linear addresses as an 8086 processor would. It 
shifts the selector left by four bits to form a 20-bit base address. The effective address is 
extended with four clear bits in the upper bit positions and added to the base address to 
create a linear address, as shown in Figure 15-1. 

Because of the possibility of a carry, the resulting linear address may have as many as 21 
significant bits. An 8086 program may generate linear addresses anywhere in the range 
to lOFFEFH (1 megabyte plus approximately 64K bytes) of the task's linear address 
space. 

Virtual-8086 tasks generate 32-bit linear addresses. While an 8086 program only can use 
the lowest 21 bits of a linear address, the linear address can be mapped using paging to 
any 32-bit physical address. 
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Figure 15-1. 8086 Address Translation 

Unlike the 8086 and 80286 processors, the 386 DX microprocessor can generate 32-bit 
effective addresses using an address override prefix; however in virtual-8086 mode, the 
value of a 32-bit address may not exceed 65,535 without causing an exception. For full 
compatibility with 80286 real-address mode, pseudo-protection faults (interrupt 12 or 13 
with no error code) occur if an effective address is generated outside the range through 
65,535. 



15.2 STRUCTURE OF A VIRTUAL-8086 TASK 

A virtual-8086 task consists of the 8086 program to be run and the 386 DX microproces- 
sor "native mode" code which serves as the virtual-machine monitor. The task must be 
represented by a 386 DX microprocessor TSS (not an 80286 TSS). The processor enters 
virtual-8086 mode to run the 8086 program and returns to protected mode to run the 
monitor or other 386 DX CPU tasks. 

To run in virtual-8086 mode, an existing 8086 processor program needs the following: 
« A virtual-8086 monitor. 
© Operating-system services. 

The virtual-8086 monitor is 386 DX microprocessor protected-mode code which runs at 
privilege-level (most privileged). The monitor mostly consists of initialization and 
exception-handling procedures. As with any other 386 DX microprocessor program, 
code-segment descriptors for the monitor must exist in the GDT or in the task's LDT. 
The linear addresses above lOFFEFH are available for the virtual-8086 monitor, the 
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operating system, and other system software. The monitor also may need data-segment 
descriptors so it can examine the interrupt vector table or other parts of the 8086 pro- 
gram in the first megabyte of the address space. 

In general, there are two options for implementing the 8086 operating system: 

1. The 8086 operating system may run as part of the 8086 program. This approach is 
desirable for either of the following reasons: 

- The 8086 application code modifies the operating system. 

- There is not sufficient development time to reimplement the 8086 operating 
system as a 386 DX microprocessor operating system. 

2. The 8086 operating system may be implemented or emulated in the virtual-8086 
monitor. This approach is desirable for any of the following reasons: 

- Operating system functions can be more easily coordinated among several 
virtual-8086 tasks. 

- The functions of the 8086 operating system can be easily emulated by calls to the 
386 DX microprocessor operating system. 

Note that the approach chosen for implementing the 8086 processor operating system 
may have different virtual-8086 tasks using different 8086 operating systems. 



15.2.1 Paging for Virtual-8086 Taslcs 

Paging is not necessary for a single virtual-8086 task, but paging is useful or necessary for 
any of the following reasons: 

• Creating multiple virtual-8086 tasks. Each task must map the lower megabyte of lin- 
ear addresses to different physical locations. 

• Emulating the address wraparound which occurs at 1 megabyte. With members of the 
8086 family, it is possible to specify addresses larger than 1 megabyte. For example, 
with a selector value of OFFFFH and an offset of OFFFFH, the effective address 
would be lOFFEFH (1 megabyte plus 65519 bytes). The 8086 processor, which can 
form addresses only up to 20 bits long, truncates the high-order bit, thereby 
"wrapping" this address to OFFEFH. The 386 DX microprocessor, however, does not 
truncate such an address. If any 8086 processor programs depend on address wrap- 
around, the same effect can be achieved in a virtual-8086 task by mapping linear 
addresses between lOOOOOH and llOOOOH and linear addresses between and 
lOOOOH to the same physical addresses. 

• Creating a virtual address space larger than the physical address space. 

• Sharing 8086 operating system or ROM code which is common to several 8086 pro- 
grams running in multitasking. 

• Redirecting or trapping references to memory-mapped I/O devices. 
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15.2.2 Protection within a Virtual-8086 Task 

Protection is not enforced between the segments of an 8086 program. To protect the 
system software running in a virtual-8086 task from the 8086 appHcation program, soft- 
ware designers may follow either of these approaches: 

• Reserve the first megabyte (plus 64K bytes) of each task's linear address space for the 
8086 processor program. An 8086 processor task cannot generate addresses outside 
this range. 

« Use the U/S bit of page-table entries to protect the virtual-machine monitor and 
other system software in each virtual-8086 task's space. When the processor is in 
virtual-8086 mode, the CPL is 3 (least privileged). Therefore, an 8086 processor pro- 
gram has only user privileges. If the pages of the virtual-machine monitor have super- 
visor privilege, they cannot be accessed by the 8086 program. 

15.3 ENTERING AND LEAVING VIRTUAL-8086 MODE 

Figure 15-2 summarizes the ways to enter and leave an 8086 program. Virtual-8086 
mode is entered by setting the VM flag. There are two ways to do this: 

1. A task switch to a 386 DX microprocessor task loads the image of the EFLAGS 
register from the new TSS. The TSS of the new task must be a 386 DX micropro- 
cessor TSS, not an 80286 TSS, because the 80286 TSS does not load the high word 
of the EFLAGS register, which contains the VM flag. A set VM flag in the new 
contents of the EFLAGS register indicates that the new task is executing 8086 in- 
structions; therefore, while loading the segment registers from the TSS, the 386 DX 
microprocessor forms base addresses in the 8086 style. 

2. An IRET instruction from a procedure of a 386 DX task loads the EFLAGS register 
from the stack. A set VM flag indicates the procedure to which control is being 
returned to be an 8086 procedure. The CPL at the time the IRET instruction is 
executed must be 0, otherwise the processor does not change the state of the VM 
flag. 

When a task switch is used to enter virtual-8086 mode, the segment registers are loaded 
from a TSS. But when an IRET instruction is used to set the VM flag, the segment 
registers keep the contents loaded during protected mode. Software should then reload 
these registers with segment selectors appropriate for virtual-8086 mode. 

The processor leaves virtual-8086 mode when an interrupt or exception occurs. There 
are two cases: 

L The interrupt or exception causes a task switch. A task switch from a virtual-8086 
task to any other task loads the EFLAGS register from the TSS of the new task. If 
the new TSS is a 386 DX microprocessor TSS and the VM flag in the new contents 
of the EFLAGS register is clear or if the new TSS is an 80286 TSS, the processor 
clears the VM flag of the EFLAGS register, loads the segment registers from the 
new TSS using 386 DX CPU-style address formation, and begins executing the in- 
structions of the new task in 386 DX microprocessor protected mode. 
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Figure 15-2. Entering and Leaving Virtual-8086 Mode 

2. The interrupt or exception calls a privilege-level procedure (most privileged). The 
processor stores the current contents of the EFLAGS register on the stack, then 
clears the VM flag. The interrupt or exception handler, therefore, runs as "native" 
386 DX microprocessor protected-mode code. If an interrupt or exception calls a 
procedure in a conforming segment or in a segment at a privilege level other than 
(most privileged), the processor generates a general-protection exception; the error 
code is the selector of the code segment to which a call was attempted. 

System software does not change the state of the VM flag directly, but instead changes 
states in the image of the EFLAGS register stored on the stack or in the TSS. The 
virtual-8086 monitor sets the VM flag in the EFLAGS image on the stack or in the TSS 
when first creating a virtual-8086 task. Exception and interrupt handlers can examine the 
VM flag on the stack. If the interrupted procedure was running in virtual-8086 mode, the 
handler may need to call the virtual-8086 monitor. 

15.3.1 Transitions Through Task Switches 

A task switch to or from a virtual-8086 task may come from any of three causes: 

1. An interrupt which calls a task gate. 

2. An action of the scheduler of the 386 DX microprocessor operating system. 

3. Executing an IRET instruction when the NT flag is set. 

In any of these cases, the processor changes the VM flag in the EFLAGS register ac- 
cording to the image in the new TSS. If the new TSS is an 80286 TSS, the upper word of 
the EFLAGS register is not in the TSS; the processor clears the VM flag in this case. 
The processor updates the VM flag prior to loading the segment registers from their 
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images in the new TSS. The new setting of the VM flag determines whether the proces- 
sor interprets the new segment-register images as 8086 selectors or 80286 and 386 DX 
microprocessor selectors. 



15.3.2 Transitions Through Trap Gates and Interrupt Gates 

The 386 DX microprocessor leaves virtual-8086 mode as the result of an exception or 
interrupt which calls a trap or interrupt gate. The exception or interrupt handler returns 
to the 8086 program by executing an IRET instruction. 

Because it was designed to run on an 8086 processor, an 8086 program in a virtual-8086 
task will have an 8086-style interrupt table, which starts at linear address 0. However, the 
386 DX microprocessor does not use this table directly. For all exceptions and interrupts 
which occur virtual-8086 mode, the processor calls handlers through the IDT. The IDT 
entry for an interrupt or exception in a virtual-8086 task must contain either: 

• A task gate. 

• A 386 DX trap gate (descriptor type 14) or 386 DX microprocessor interrupt gate 
(descriptor type 15), which must point to a nonconforming, privilege-level (most 
privileged), code segment. 

Interrupts and exceptions which call 386 DX microprocessor trap or interrupt gates use 
privilege-level 0. The contents of the segment registers are stored on the stack for this 
privilege level. Figure 15-3 shows the format of this stack after an exception or interrupt 
which occurs while a virtual-8086 task is running an 8086 program. 

After the processor saves the 8086 segment registers on the stack for privilege level 0, it 
clears the segment registers before running the handler procedure. This lets the inter- 
rupt handler safely save and restore the DS, ES, FS, and GS registers as though they 
were 386 DX microprocessor selectors. Interrupt handlers, which may be called in the 
context of either a regular task or a virtual-8086 task, can use the same code sequences 
for saving and restoring the registers for any task. Clearing these registers before execu- 
tion of the IRET instruction does not cause a trap in the interrupt handler. Interrupt 
procedures which expect values in the segment registers or which return values in the 
segment registers must use the register images saved on the stack for privilege level 0. 
Interrupt handlers which need to know whether the interrupt occurred in virtual-8086 
mode can examine the VM flag in the stored contents of the EFLAGS register. 

An interrupt handler passes control to the virtual-8086 monitor if the VM flag is set in 
the EFLAGS image stored on the stack and the interrupt or exception is one which the 
monitor needs to handle. The virtual-8086 monitor may either: 

• Handle the interrupt within the virtual-8086 monitor. 

• Call the 8086 program's interrupt handler. 
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Figure 15-3. Privilege Level Stack after Interrupt in Virtual-8086 Task 

Sending an interrupt or exception back to the 8086 program involves the following steps: 

1. Use the 8086 interrupt vector to locate the appropriate handler procedure. 

2. Store the state of the 8086 program on the privilege-level 3 stack (least privileged). 

3. Change the return link on the privilege-level stack (most privileged) to point to the 
privilege-level 3 handler procedure. 

4. Execute an IRET instruction to pass control to the handler. 

5. When the IRET instruction from the privilege-level 3 handler again calls the virtual- 
8086 monitor, restore the return link on the privilege-level stack to point to the 
original, interrupted, privilege-level 3 procedure. 

6. Execute an IRET instruction to pass control back to the interrupted procedure. 

15.4 ADDITIONAL SENSITIVE INSTRUCTIONS 

When the 386 DX microprocessor is running in virtual-8086 mode, the PUSHF, POPF, 
INT n and IRET instructions are sensitive to lOPL. The IN, INS, OUT, and OUTS 
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instructions, which are sensitive to lOPL in protected mode, are not sensitive in virtual- 
8086 mode. Following is a complete list of instructions which are sensitive in virtual-8086 
mode: 

CLI —Clear Interrupt-Enable Flag 

STI -Set Interrupt-Enable Flag 

PUSHF -Push Flags 

POPF -Pop Flags 

INT n — Software Interrupt 

IRET -Interrupt Return 

The CPL is always 3 while running in virtual-8086 mode; if the lOPL is less than 3, an 
attempt to use the instructions listed above will trigger a general-protection exception. 
These instructions are sensitive to the lOPL to give the virtual-8086 monitor a chance to 
emulate the facilities they affect. 

15.4.1 Emulating 8086 Operating System Calls 

The INT n instruction is sensitive to lOPL so a virtual-8086 monitor can intercept calls 
to the 8086 operating system. Many 8086 operating systems are called by pushing param- 
eters onto the stack, then executing an INT n instruction. If the lOPL is less than 3, INT 
n instructions are intercepted by the virtual-8086 monitor. The virtual-8086 monitor then 
can emulate the function of the 8086 operating system or send the interrupt back to the 
8086 operating system. 

15.4.2 Emulating the Interrupt-Enable Flag 

When the 386 DX microprocessor is running an 8086 program in a virtual-8086 task, the 
PUSHF, POPF, and IRET instructions are sensitive to the lOPL. This lets the virtual- 
8086 monitor protect the interrupt-enable flag (IF). Other instructions which affect the 
IF flag (such as the STI and CLI instructions) are sensitive to the lOPL in both 8086 and 
386 DX microprocessor programs. 

Many 8086 programs written for non-multitasking systems set and clear the IF flag to 
control interrupts. This may cause problems in a multitasking environment. If the lOPL 
is less than 3, all instructions which change or test the IF flag generate an exception. The 
virtual-8086 monitor then can control the IF flag in a manner compatible with the 386 
DX microprocessor environment and transparent to 8086 programs. 



15.5 VIRTUAL I/O 

Many 8086 programs written for non-multitasking systems directly access I/O ports. This 
may cause problems in a multitasking environment. If more than one program accesses 
the same port, they may interfere with each other. Most multitasking systems require 
application programs to access I/O ports through the operating system. This results in 
simplified, centralized control. 
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The 386 DX microprocessor provides I/O protection for creating I/O which is compatible 
with the 386 DX microprocessor environment and transparent to 8086 programs. De- 
signers may take any of several possible approaches to protecting I/O ports: 

• Protect the I/O address space and generate exceptions for all attempts to perform I/O 
directly. 

• Let the 8086 processor program perform I/O directly. 

• Generate exceptions on attempts to access specific I/O ports. 

• Generate exceptions on attempts to access specific memory-mapped I/O ports. 

The method of controlling access to I/O ports depends upon whether they are I/O- 
mapped or memory-mapped. 



15.5.1 l/0-Mapped I/O 

The I/O address space in virtual-8086 mode differs from protected mode only because 
the lOPL is not checked. Only the I/O permission bit map is checked when virtual-8086 
tasks access the I/O address space. 

The I/O permission bit map can be used to generate exceptions on attempts to access 
specific I/O addresses. The I/O permission bit map of each virtual-8086 task determines 
which I/O addresses generate exceptions for that task. Because each task may have a 
different I/O permission bit map, the addresses which generate exceptions for one task 
may be different from the addresses for another task. See Chapter 8 for more informa- 
tion about the I/O permission bit map. 



15.5.2 Memory-Mapped I/O 

In systems which use memory-mapped I/O, the paging facilities of the 386 DX micropro- 
cessor can be used generate exceptions for attempts to access I/O ports. The virtual-8086 
monitor may use paging to control memory-mapped I/O in these ways: 

• Map part of the linear address space of each task which needs to perform I/O to the 
physical address space where I/O ports are placed. By putting the I/O ports at differ- 
ent addresses (in different pages), the paging mechanism can enforce isolation be- 
tween tasks, 

• Map part of the linear address space to pages which are not-present. This generates 
an exception whenever a task attempts to perform I/O to those pages. System soft- 
ware then can interpret the I/O operation being attempted. 

Software emulation of the I/O space may require too much operating system interven- 
tion under some conditions. In these cases, it may be possible to generate an exception 
for only the first attempt to access I/O. The system software then may determine 
whether a program can be given exclusive control of I/O temporarily, the protection of 
the I/O space may be lifted, and the program allowed to run at full speed. 
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15.5.3 Special I/O Buffers 

Buffers of intelligent controllers (for example, a bit-mapped frame buffer) also can be 
emulated using page mapping. The linear space for the buffer can be mapped to a 
different physical space for each virtual-8086 task. The virtual-8086 monitor then can 
control which virtual buffer to copy onto the real buffer in the physical address space. 



15.6 DIFFERENCES FROM 8086 PROCESSOR 

In general, virtual-8086 mode will run software written for the 8086, 8088, 80186, and 
80188 processors. The following list shows the minor differences between the 8086 pro- 
cessor and the virtual-8086 mode of the 386 DX microprocessor. 

1. Instruction clock counts. 

The 386 DX microprocessor takes fewer clocks for most instructions than the 8086 
processor. The areas most likely to be affected are: 

® Delays required by I/O devices between I/O operations. 

® Assumed delays with 8086 processor operating in parallel with an 8087. 

2. Divide exceptions point to the DIV instruction. 

Divide exceptions on the 386 DX microprocessor always leave the saved CS:IP value 
pointing to the instruction which failed. On the 8086 processor, the CS:IP value 
points to the next instruction. 

3. Undefined 8086 processor opcodes. 

Opcodes which were not defined for the 8086 processor generate an invalid-opcode 
or execute as one of the new instructions defined for the 386 DX microprocessor. 

4. Value written by PUSH SP. 

The 386 DX microprocessor pushes a different value on the stack for PUSH SP than 
the 8086 processor. The 386 DX microprocessor pushes the value in the SP register 
before it is incremented as part of the push operation; the 8086 processor pushes the 
value of the SP register after it is incremented. If the pushed value is important, 
replace PUSH SP instructions with the following three instructions: 

PUSH BP 

nnv BP, SP 

XCHG BP, [BP] 

This code functions as the 8086 PUSH SP instruction on the 386 DX 
microprocessor. 

5. Shift or rotate by more than 31 bits. 

The 386 DX microprocessor masks all shift and rotate counts to the lowest five bits. 
This limits the count to a maximum of 31 bit positions, thereby limiting the time that 
interrupt response is delayed while the instruction executes. 
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6. Redundant prefixes. 

The 386 DX microprocessor limits instructions to 15 bytes. The only way to violate 
this limit is with redundant prefixes before an instruction. A general-protection ex- 
ception is generated if the limit on instruction length is violated. The 8086 processor 
has no instruction length limit. 

7. Operand crossing offset or 65,535. 

On the 8086 processor, an attempt to access a memory operand which crosses offset 
65,535 (e.g., MOV a word to offset 65,535) or offset (e.g., PUSH a word when the 
contents of the SP register are 1) causes the offset to wrap around modulo 65,536. 
The 386 DX microprocessor generates an exception in these cases, a general- 
protection exception if the segment is a data segment (i.e., if the CS, DS, ES, FS, or 
GS register is being used to address the segment), or a stack exception if the seg- 
ment is a stack segment (i.e., if the SS register is being used). 

8. Sequential execution across offset 65,535. 

On the 8086 processor, if sequential execution of instructions proceeds past offset 
65,535, the processor fetches the next instruction byte from offset of the same 
segment. On the 386 DX microprocessor, the processor generates a general- 
protection exception. 

9. LOCK is restricted to certain instructions. 

The LOCK prefix and its output signal should only be used to prevent other bus 
masters from interrupting a data movement operation. The LOCK prefix only may 
be used with the following 386 DX microprocessor instructions when they modify 
memory. An invalid opcode exception results from using LOCK before any other 
instruction, or with these instructions when no write operation is made to memory. 

• Bit test and change: the BTS, BTR, and BTC instructions, 
o Exchange: the XCHG instruction. 

• One-operand arithmetic and logical: the INC, DEC, NOT, NEG instructions. 

• Two-operand arithmetic and logical: the ADD, ADC, SUB, SBB, AND, OR, and 
XOR instructions. 

10. Single-stepping external interrupt handlers. 

The priority of the 386 DX microprocessor single-step exception is different from 
that of the 8086 processor. This change prevents an external interrupt handler from 
being single-stepped if the interrupt occurs while a program is being single-stepped. 
The 386 DX microprocessor single-step exception has higher priority than any ex- 
ternal interrupt. The 386 DX microprocessor will still single-step through an inter- 
rupt handler called by the INT instruction or by an exception. 

11. IDIV exceptions for quotients of 80H or 8000H. 

The 386 DX microprocessor can generate the largest negative number as a quotient 
from the IDIV instruction. The 8086 processor generates a divide-error exception 
instead. 

12. Flags in stack. 

The contents of the EFLAGS register stored by the PUSHF instruction, by inter- 
rupts, and by exceptions is different from that stored by the 8086 processor in bit 
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positions 12 through 15. On the 8086 processor these bits are stored as though they 
were set, but in virtual-8086 mode bit 15 is always clear, and bits 14 through 12 have 
the last value loaded into them. 

13. NMI interrupting NMI handlers. 

After an NMI interrupt is accepted by the 386 DX microprocessor, the NMI inter- 
rupt is masked until an IRET instruction is executed. 

14. Coprocessor errors generate interrupt 16. 

Any 386 DX microprocessor system with a coprocessor must use interrupt 16 for the 
coprocessor-error exception. If an 8086 system uses another vector for the 8087 
interrupt, both vectors should point to the coprocessor-error exception handler. 

15. Numeric exception handlers should allow prefixes. 

On the 386 DX microprocessor, the value of CS:IP saved for coprocessor exceptions 
points at any prefixes before an ESC instruction. On 8086 processor systems, the 
saved CS:IP points to the ESC instruction itself. 

16. Coprocessor does not use interrupt controller. 

The coprocessor error signal to the 386 DX microprocessor does not pass through 
an interrupt controller (an 8087 INT signal does). Some instructions in a coproces- 
sor error handler may need to be deleted if they deal with the interrupt controller. 

17. Response to bus hold. 

Unlike the 8086 and 80286 processors, the 386 DX microprocessor responds to re- 
quests for control of the bus from other potential bus masters, such as DMA con- 
trollers, between transfers of parts of an unaligned operand, such as two words 
which form a doubleword. 

18. CPL is 3 in virtual-8086 mode. 

The 8086 processor does not support protection, so it has no CPL. Yirtual-8086 
mode uses a CPL of 3, which prevents the execution of privileged instructions. 
These are: 

LIDT instruction 

LGDT instruction 

LMSW instruction 

special forms of the MOV instruction for loading and storing the control registers 

CLTS instruction 

HLT instruction 

These instructions may be executed while the processor is in real-address mode 
following reset initialization. They allow system data structures, such as descriptor 
tables, to be set up before entering protected mode. Virtual-8086 mode is entered 
from protected mode, so it has no need for these instructions. 
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15.7 DIFFERENCES FROM 80286 REAL-ADDRESS MODE 

The 80286 processor implements the bus lock function differently than the 386 DX 
microprocessor. This fact may or may not be apparent to 8086 programs, depending on 
how the virtual-8086 monitor handles the LOCK prefix. Instructions with the LOCK 
prefix are sensitive to the lOPL; software designers can choose to emulate its function. 
If, however, 8086 programs are allowed to execute LOCK directly, programs which use 
forms of memory locking specific to the 8086 processor may not run properly when run 
on the 386 DX microprocessor. 

The LOCK prefix and its bus signal only should be used to prevent other bus masters 
from interrupting a data movement operation. The LOCK prefix only may be used with 
the following 386 DX microprocessor instructions when they modify memory. An 
invalid-opcode exception results from using the LOCK prefix before any other instruc- 
tion, or with these instructions when no write operation is made to memory (i.e., when 
the destination operand is in a register). 

• Bit test and change: the BTS, BTR, and BTC instructions. 

• Exchange: the XCHG instruction. 

• One-operand arithmetic and logical: the INC, DEC, NOT, NEG instructions. 

• Two-operand arithmetic and logical: the ADD, ADC, SUB, SBB, AND, OR, and 
XOR instructions. 

A locked instruction is guaranteed to lock only the area of memory defined by the 
destination operand, but may lock a larger memory area. For example, typical 8086 and 
80286 configurations lock the entire physical memory space. 

Unlike the 8086 and 80286 processors, the 386 DX microprocessor responds to requests 
for control of the bus from other potential bus masters, such as DMA controllers, 
between transfers of parts of an unaligned operand, such as two words which form a 
doubleword. 
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CHAPTER 16 
MIXING 16-BIT AND 32-BIT CODE 

The 386™ DX microprocessor running in protected mode is a complete 32-bit architec- 
ture, but it supports programs written for the 16-bit architecture of earher Intel® proces- 
sors. There are three levels of this support: 

1. Running 8086 and 80286 code with complete compatibility. 

2. Mixing 16-bit modules with 32-bit modules. 

3. Mixing 16-bit and 32-bit addresses and data within one module. 

The first level is discussed in Chapter 13, Chapter 14, and Chapter 15. This chapter 
shows how 16-bit and 32-bit modules can cooperate with one another, and how one 
module can use both 16-bit and 32-bit operands and addressing. 

The 386 DX microprocessor functions most efficiently when it is possible to distinguish 
between pure 16-bit modules and pure 32-bit modules. A pure 16-bit module has these 
characteristics: 

• All segments occupy 64K bytes or less. 

9 Data items are either 8 bits or 16 bits wide. 
9 Pointers to code and data have 16-bit offsets. 

• Control is transferred only among 16-bit segments. 

A pure 32-bit module has these characteristics: 

• Segments may occupy more than 64K bytes (0 bytes to 4 gigabytes). 

• Data items are either 8 bits or 32 bits wide. 

• Pointers to code and data have 32-bit offsets. 

• Control is transferred only among 32-bit segments. 

A program written for 16-bit processor would be pure 16-bit code. A new program 
written for the protected mode of the 386 DX microprocessor would be pure 32-bit code. 
As applications move from 16-bit processors to the 32-bit 386 DX microprocessor, there 
will be cases where 16-bit and 32-bit code will need to be mixed. Reasons for mixing 
code are: 

o Modules will be converted one-by-one from 16-bit environments to 32-bit 
environments. 

• Older, 16-bit compilers and software-development tools will be used in the new 32-bit 
operating environment until new 32-bit tools are available. 

• The source code of 16-bit modules is not available for modification. 

• The specific data structures used by a given module are fixed at 16-bit word size. 

• The native word size of the source language is 16 bits. 
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16.1 USING 16-BIT AND 32-BIT ENVIRONMENTS 

The features of the architecture which permit the 386 DX microprocessor to mix 16-bit 
and 32-bit address and operand size include: 

• The D-bit (default bit) of code-segment descriptors, which determines the default 
choice of operand-size and address-size for the instructions of a code segment. (In 
real-address mode and virtual-8086 mode, which do not use descriptors, the default is 
16 bits.) A code segment whose D-bit is set is a 32-bit segment; a code segment whose 
D-bit is clear is a 16-bit segment. The D-bit eliminates the need to put the operand 
size and address size in instructions when all instructions use operands and effective 
addresses of the same size. 

• Instruction prefixes to override the default choice of operand size and address size 
(available in protected mode as well as in real-address mode and virtual-8086 mode). 

• Separate 32-bit and 16-bit gates for intersegment control transfers (including call 
gates, interrupt gates, and trap gates). The operand size for the control transfer is 
determined by the type of gate, not by the D-bit or prefix of the transfer instruction. 

• Registers which can be used both for 16-bit and 32-bit operands and effective-address 
calculations. 

• The B bit (Big bit) of data-segment descriptors, which specifies the size of stack 
pointer (the 32-bit ESP register or the 16-bit SP register) used by the processor for 
implicit stack references. 

16.2 MIXING 16-BIT AND 32-BIT OPERATIONS 

The 386 DX microprocessor has two instruction prefixes which allow mixing of 32-bit 
and 16-bit operations within one segment: 

• The operand-size prefix (66H) 

• The address-size prefix (67H) 

These prefixes reverse the default size selected by the Default bit. For example, the 
processor can interpret the MOV mem, reg instruction in any of four ways: 

• In a 32-bit segment: 

1. Moves 32 bits from a 32-bit register to memory using a 32-bit effective address. 

2. If preceded by an operand-size prefix, moves 16 bits from a 16-bit register to 
memory using a 32-bit effective address. 

3. If preceded by an address-size prefix, moves 32 bits from a 32-bit register to 
memory using a 16-bit effective address. 

4. If preceded by both an address-size prefix and an operand-size prefix, moves 
16 bits from a 16-bit register to memory using a 16-bit effective address. 

• In a 16-bit segment: 

1. Moves 16 bits from a 16-bit register to memory using a 16-bit effective address. 

2. If preceded by an operand-size prefix, moves 32 bits from a 32-bit register to 
memory using a 16-bit effective address. 
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3. If preceded by an address-size prefix, moves 16 bits from a 16-bit register to 
memory using a 32-bit effective address. 

4. If preceded by both an address-size prefix and an operand-size prefix, moves 
32 bits from a 32-bit register to memory using a 32-bit effective address. 

These examples show that any instruction can generate any combination of operand size 
and address size regardless of whether the instruction is in a 16- or 32-bit segment. The 
choice of the 16- or 32-bit default for a code segment is based upon these criteria: 

1. The need to address instructions or data in segments which are larger than 
64K bytes. 

2. The predominant size of operands. 

3. The addressing modes desired. (See Chapter 17 for an explanation of the additional 
addressing modes available when 32-bit addressing is used.) 

The Default bit should be given a setting which allows the predominant size of operands 
to be accessed without operand-size prefixes. 



16.3 SHARING DATA AMONG MIXED-SIZE CODE SEGMENTS 

Because the choice of operand size and address size is specified in code segments and 
their descriptors, data segments can be shared freely among both 16-bit and 32-bit code 
segments. The only limitation is imposed by pointers with 16-bit offsets, which only can 
point to the first 64K bytes of a segment. When a data segment with more than 64K 
bytes is to be shared among 16- and 32-bit segments, the data which is to be accessed by 
the 16-bit segments must be located within the first 64K bytes. 

A stack which spans less than 64K bytes can be shared by both 16- and 32-bit code 
segments. This class of stacks includes: 

® Stacks in expand-up segments with the Granularity and Big bits clear. 

® Stacks in expand-down segments with the Granularity and Big bits clear. 

© Stacks in expand-up segments with the Granularity bit set and the Big bit clear, in 
which the stack is contained completely within the lower 64K bytes. (Offsets greater 
than OFFFFH can be used for data, other than the stack, which is not shared.) 

The B-bit of a stack segment cannot, in general, be used to change the size of stack used 
by a 16-bit code segment. The size of stack pointer used by the processor for implicit 
stack references is controlled by the B-bit of the data-segment descriptor for the stack. 
Implicit references are those caused by interrupts, exceptions, and instructions such as 
the PUSH, POP, CALL, and RET instructions. Although it seems like the B bit could be 
used to increase the stack segment for 16-bit programs beyond 64K bytes, this may not 
be done. The B-bit does not control explicit stack references, such as accesses to param- 
eters or local variables. A 16-bit code segment can use a "big" stack only if the code is 
modified so that all explicit references to the stack are preceded by the address-size 
prefix, causing those references to use 32-bit addressing. 

16-3 



Intel' 



MIXING 16-BIT AND 32-BIT CODE 



In big, expand-down segments (the Granularity, Big, and Expand-down bits set), all 
offsets are greater than 64K, therefore 16-bit code cannot use this kind of stack segment 
unless the code segment is modified to use 32-bit addressing. (See Chapter 6 for more 
information about the G, B, and E bits.) 

16.4 TRANSFERRING CONTROL AMONG MIXED-SIZE CODE 
SEGMENTS 

When transferring control among procedures in 16-bit and 32-bit code segments, pro- 
grammers must be aware of three points: 

• Addressing limitations imposed by pointers with 16-bit offsets. 

o Matching of operand-size attribute in effect for the CALL/RET instruction pair and 
the Interrupt/IRET pair for managing the stack correctly. 

• Translation of parameters, especially pointer parameters. 

Clearly, 16-bit effective addresses cannot be used to address data or code located beyond 
OFFFFH in a 32-bit segment, nor can large 32-bit parameters be squeezed into a 16-bit 
word; however, except for these obvious limits, most interface problems between 16-bit 
and 32-bit modules can be solved. Some solutions involve inserting interface code be- 
tween modules. 



16.4.1 Size of Code-Segment Pointer 

For control-transfer instructions which use a pointer to identify the next instruction (i.e., 
those which do not use gates), the size of the offset portion of the pointer is determined 
by the operand-size attribute. The implications of the use of two different sizes of code- 
segment pointer are: 

o A JMP, CALL, or RET instruction from a 32-bit segment to a 16-bit segment is 
always possible using a 32-bit operand size. 

© A JMP, CALL, or RET instruction from a 16-bit segment using a 16-bit operand size 
cannot address a destination in a 32-bit segment if the address of the destination is 
greater than OFFFFH. 

An interface procedure can provide a mechanism for transfers from 16-bit segments to 
destinations in 32-bit segments beyond 64K. The requirements for this kind of interface 
procedure are discussed later in this chapter. 

16.4.2 Stack Management for Control Transfers 

Because stack management is different for 16-bit CALL and RET instructions than for 
32-bit CALL and RET instructions, the operand size of the RET instruction must match 
the CALL instruction. (See Figure 16-1.) A 16-bit CALL instruction pushes the contents 
of the 16-bit IP register and (for calls between privilege levels) the 16-bit SP register. 
The matching RET instruction also must use a 16-bit operand size to pop these 16-bit 
values from the stack into the 16-bit registers. A 32-bit CALL instruction pushes the 
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Figure 16-1. Stack after Far 16- and 32-Bit Calls 

contents of the 32-bit EIP register and (for interlevel calls) the 32-bit ESP register. The 
matching RET instruction also must use a 32-bit operand size to pop these 32-bit values 
from the stack into the 32-bit registers. If the two parts of a CALL/RET instruction pair 
do not have matching operand sizes, the stack will not be managed correctly and the 
values of the instruction pointer and stack pointer will not be restored to correct values. 

When the CALL instruction and its matching RET instruction are in segments which 
have D bits with the same values (i.e., both have 32-bit defaults or both have 16-bit 
defaults), the default settings may be used. When the CALL instruction and its matching 
RET instruction are in segments which have different D-bit values, an operand size 
prefix must be used. 

There are three ways for a 16-bit procedure to make a 32-bit call: 

1. Use a 16-bit call to a 32-bit interface procedure. The interface procedure uses a 
32-bit call to the intended destination. 

2. Make the call through a 32-bit call gate. 

3. Modify the 16-bit procedure, inserting an operand-size prefix before the call, to 
change it to a 32-bit call. 
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Likewise, there are three ways to cause a 32-bit procedure to make a 16-bit call: 

1. Use a 32-bit call to a 32-bit interface procedure. The interface procedure uses a 
16-bit call to the intended destination. 

2. Make the call through a 16-bit call gate. 

3. Modify the 32-bit procedure, inserting an operand-size prefix before the call, 
thereby changing it to a 16-bit call. (Be certain that the return offset does not exceed 
OFFFFH.) 

Programmers can use any of the preceding methods to make a CALL instruction in a 
16-bit segment match the corresponding RET instruction in a 32-bit segment, or to make 
a CALL instruction in a 32-bit segment match the corresponding RET instruction in a 
16-bit segment. 

16.4.2.1 CONTROLLING THE OPERAND SIZE FOR A CALL 

The operand-size attribute in effect for the CALL instruction is specified by the D bit 
for the segment containing the destination and by any operand-size instruction prefix. 

When the selector of the pointer referenced by a CALL instruction selects a gate de- 
scriptor, the type of call is determined by the type of call gate. A call through an 80286 
call gate (descriptor type 4) has a 16-bit operand-size attribute; a call through a 386 DX 
microprocessor call gate (descriptor type 12) has a 32-bit operand-size attribute. The 
offset to the destination is taken from the gate descriptor; therefore, even a 16-bit pro- 
cedure can call a procedure located more than 64K bytes from the base of a 32-bit 
segment, because a 32-bit call gate contains a 32-bit offset. 

An unmodified 16-bit code segment which has run successfully on an 8086 processor or 
in real-mode on an 80286 processor will have a D-bit which is clear and will not use 
operand-size override prefixes; therefore, it will use 16-bit versions of the CALL instruc- 
tion. The only modification needed to make a 16-bit procedure produce a 32-bit call is to 
relink the call to a 386 DX microprocessor call gate. 

16.4.2.2 CHANGING SIZE OF A CALL 

When adding 32-bit gates to 16-bit procedures, it is important to consider the number of 
parameters. The count field of the gate descriptor specifies the size of the parameter 
string to copy from the current stack to the stack of the more privileged procedure. The 
count field of a 16-bit gate specifies the number of words to be copied, whereas the count 
field of a 32-bit gate specifies the number of doublewords to be copied; therefore, the 
16-bit procedure must use an even number of words as parameters. 

16.4.3 Interrupt Control Transfers 

With a control transfer caused by an exception or interrupt, a gate is used. The operand- 
size attribute for the interrupt is determined by the gate descriptor in the interrupt 
descriptor table (IDT). 
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A 386 DX microprocessor interrupt or trap gate (descriptor type 14 or 15) to a 32-bit 
interrupt handler can be used to interrupt either 32-bit or 16-bit procedures. However, 
sometimes it is not practical to permit an interrupt or exception to call a 16-bit handler 
when 32-bit code is running, because a 16-bit interrupt procedure has a return offset of 
only 16 bits saved on its stack. If the 32-bit procedure is running at an address beyond 
OFFFFH, the 16-bit interrupt procedure cannot provide the return address. 



16.4.4 Parameter Translation 

When segment offsets or pointers (which contain segment offsets) are passed as param- 
eters between 16-bit and 32-bit procedures, some translation is required. If a 32-bit 
procedure passes a pointer to data located beyond 64K to a 16-bit procedure, the 16-bit 
procedure cannot use it. Except for this limitation, interface code can perform any for- 
mat conversion between 32-bit and 16-bit pointers which may be needed. 

Parameters passed by value between 32-bit and 16-bit code also may require translation 
between 32-bit and 16-bit formats. The form of the translation is application-dependent. 



16.4.5 The Interface Procedure 

Placing interface code between 32-bit and 16-bit procedures can be the solution to sev- 
eral interface problems: 

• Allowing procedures in 16-bit segments to call procedures with offsets greater than 
OFFFFH in 32-bit segments. 

• Matching operand size between CALL and RET instructions. 

• Translating parameters (data). 

The interface code is simplified where these restrictions are followed. 

• Interface code resides in a code segment whose D-bit is set, which indicates a default 
operand size of 32-bits. 

o All procedures which may be called by 16-bit procedures have offsets which are not 
greater than OFFFFH. 

• All return addresses saved by 16-bit procedures also have offsets not greater than 
OFFFFH. 

The interface code becomes more complex if any of these restrictions are violated. For 
example, if a 16-bit procedure calls a 32-bit procedure with an entry point beyond 
OFFFFH, the interface code will have to provide the offset tp the entry point. The 
mapping between 16- and 32-bit addresses only is performed automatically when a call 
gate is used, because the descriptor for a call gate contains a 32-'bit address. When a call 
gate is not used, the descriptor must provide the 32-bit address. 
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The interface code calls procedures in other segments. There may be two kinds of 
interface: 

• Where 16-bit procedures call 32-bit procedures. The interface code is called by 16-bit 
CALL instructions and uses the operand-size prefix before RET instructions for per- 
forming a 16-bit RET instruction. Calls to 32-bit segments are 32-bit CALL instruc- 
tions (by default, because the D-bit is set), and the 32-bit code returns with 32-bit 
RET instructions. 

• Where 32-bit procedures call 16-bit procedures. The interface code is called by 32-bit 
CALL instructions, and returns with 32-bit RET instructions (by default, because the 
D-bit is set). CALL instructions to 16-bit procedures use the operand-size prefix; 
16-bit procedures return with 16-bit RET instructions. 
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CHAPTER 17 
386™ DX MICROPROCESSOR INSTRUCTION SET 

This chapter presents instructions for the 386™ DX microprocessor in alphabetical or- 
der. For each instruction, the forms are given for each operand combination, including 
object code produced, operands required, execution time, and a description. For each 
instruction, there is an operational description and a summary of exceptions generated. 



17.1 OPERAND-SIZE AND ADDRESS-SIZE ATTRIBUTES 

When executing an instruction, the 386 DX microprocessor can address memory using 
either 16 or 32-bit addresses. Consequently, each instruction that uses memory addresses 
has associated with it an address-size attribute of either 16 or 32 bits. The use of 16-bit 
addresses imphes both the use of 16-bit displacements in the instruction and the gener- 
ation of 16-bit address offsets (segment relative addresses) as the result of the effective 
address calculation. The use of 32-bit addresses implies the use of 32-bit displacements 
and the generation of 32-bit address offsets. Similarly, an instruction that accesses words 
(16 bits) or doublewords (32 bits) has an operand-size attribute of either 16 or 32 bits. 

The attributes are determined by a combination of defaults, instruction prefixes, and 
(for programs executing in protected mode) size-specification bits in segment 
descriptors. 



17.1.1 Default Segment Attribute 

For programs running in protected mode, the D bit in executable-segment descriptors 
specifies the default attribute for both address size and operand size. These default 
attributes apply to the execution of all instructions in the segment. A clear D bit sets the 
default address size and operand size to 16 bits; a set D bit, to 32 bits. 

Programs that execute in real mode or virtual-8086 mode have 16-bit addresses and 
operands by default. 



17.1.2 Operand-Size and Address-Size Instruction Prefixes 

The internal encoding of an instruction can include two byte-long prefixes: the address- 
size prefix, 67H, and the operand-size prefix, 66H. (A later section, "Instruction 
Format," shows the position of the prefixes in an instruction's encoding.) These prefixes 
override the default segment attributes for the instruction that follows. Table 17-1 shows 
the effect of each possible combination of defaults and overrides. 
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Table 17-1. Effective Size Attributes 
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Y = Yes, this instruction prefix is present 
N = No, this instruction prefix is not present 

17.1.3 Address-Size Attribute for Stack 

Instructions that use the stack impHcitly (for example: POP EAX) also have a stack 
address-size attribute of either 16 or 32 bits. Instructions with a stack address-size 
attribute of 16 use the 16-bit SP stack pointer register; instructions with a stack address- 
size attribute of 32 bits use the 32-bit ESP register to form the address of the top of the 
stack. 

The stack address-size attribute is controlled by the B-bit of the data-segment descriptor 
in the SS register. A value of zero in the B-bit selects a stack address-size attribute of 16; 
a value of one selects a stack address-size attribute of 32. 



17.2 INSTRUCTION FORMAT 

All instruction encodings are subsets of the general instruction format shown in 
Figure 17-1. Instructions consist of optional instruction prefixes, one or two primary 
opcode bytes, possibly an address specifier consisting of the ModR/M byte and the SIB 
(Scale Index Base) byte, a displacement, if required, and an immediate data field, if 
required. 
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Figure 17-1. 386™ DX Microprocessor Instruction Format 
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Smaller encoding fields can be defined within the primary opcode or opcodes. These 
fields define the direction of the operation, the size of the displacements, the register 
encoding, or sign extension; encoding fields vary depending on the class of operation. 

Most instructions that can refer to an operand in memory have an addressing form byte 
following the primary opcode byte(s). This byte, called the ModR/M byte, specifies the 
address form to be used. Certain encodings of the ModR/M byte indicate a second 
addressing byte, the SIB (Scale Index Base) byte, which follows the ModR/M byte and is 
required to fully specify the addressing form. 

Addressing forms can include a displacement immediately following either the ModR/M 
or SIB byte. If a displacement is present, it can be 8-, 16- or 32-bits. 

If the instruction specifies an immediate operand, the immediate operand always follows 
any displacement bytes. The immediate operand, if specified, is always the last field of 
the instruction. 

The following are the allowable instruction prefix codes: 

OF3H REP prefix (used only with string instructions) 

OF3H REPE/REPZ prefix (used only with string instructions) 

OF2H REPNE/REPNZ prefix (used only with string instructions) 

OFOH LOCK prefk 

The following are the segment override prefixes: 

2EH CS segment override prefix 

36H SS segment override prefix 

3EH DS segment override prefix 

26H ES segment override prefix 

64H FS segment override prefix 

65H GS segment override prefix 

66H Operand-size override 

67H Address-size override 



17.2.1 ModR/M and SIB Bytes 

The ModR/M and SIB bytes follow the opcode byte(s) in many of the 386 DX micropro- 
cessor instructions. They contain the following information: 

o The indexing type or register number to be used in the instruction 

• The register to be used, or more information to select the instruction 

• The base, index, and scale information 

The ModR/M byte contains three fields of information: 

• The mod field, which occupies the two most significant bits of the byte, combines with 
the r/m field to form 32 possible values: eight registers and 24 indexing modes. 

17-3 



intel' 



386 " DX MICROPROCESSOR INSTRUCTION SET 



• The reg field, which occupies the next three bits following the mod field, specifies 
either a register number or three more bits of opcode information. The meaning of 
the reg field is determined by the first (opcode) byte of the instruction. 

• The r/m field, which occupies the three least significant bits of the byte, can specify a 
register as the location of an operand, or can form part of the addressing-mode 
encoding in combination with the mod field as described above. 



The based indexed and scaled indexed forms of 32-bit addressing require the SIB byte. 
The presence of the SIB byte is indicated by certain encodings of the ModR/M byte. The 
SIB byte then includes the following fields: 

• The ss field, which occupies the two most significant bits of the byte, specifies the 
scale factor. 



9 



• 



The index field, which occupies the next three bits following the ss field and specifies 
the register number of the index register. 

The base field, which occupies the three least significant bits of the byte, specifies the 
register number of the base register. 



Figure 17-2 shows the formats of the ModR/M and SIB bytes. 



The values and the corresponding addressing forms of the ModR/M and SIB bytes are 
shown in Tables 17-2, 17-3, and 17-4. The 16-bit addressing forms specified by the 
ModR/M byte are in Table 17-2. The 32-bit addressing forms specified by the ModR/M 
byte are in Table 17-3. Table 17-4 shows the 32-bit addressing forms specified by the SIB 
byte. 



MODR/M BYTE 
7 6 5 4 3 2 10 



1 MOD 1 REG/OPCODE 1 R/M 


n 


SIB (SCALE INDEX BASE) BYTE 
7 6 5 4 3 2 1 





1 SS 1 INDEX 1 BASE 


3 



Figure 17-2. ModR/M and SIB Byte Formats 
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Table 17-2. 16-Bit Addressing Forms with the ModR/M Byte 






r8(/r) 




AL 


CL 


DL 


BL 


AH 


CH 


DH 


BH 


r16(/r) 




AX 


CX 


DX 


BX 


SP 


BP 


SI 


Dl 


r32(/r) 




EAX 


ECX 


EDX 


EBX 


ESP 


EBP 


ESI 


EDI 


/digit (Opcode) 







1 


2 


3 


4 


5 


6 


7 


REG = 




000 


001 


010 


011 


100 


101 


110 


111 


Effective 
Address 


Mod R/M 






ModR/M Values 


in Hexadecimal 








BX + SI] 




000 


00 


08 


10 


18 


20 


28 


30 


38 




BX + DI 




001 


01 


09 


11 


19 


21 


29 


31 


39 




BP + SI 




010 


02 


OA 


12 


1A 


22 


2A 


32 


3A 




BP + Di 




00 °^^ 
°° 100 


03 


OB 


13 


IB 


23 


2B 


33 


3B 




SI] 


04 


OC 


14 


1C 


24 


2C 


34 


3C 




Dl 


101 


05 


OD 


15 


ID 


25 


2D 


35 


3D 


disp16 


110 


06 


OE 


16 


IE 


26 


2E 


36 


3E 


[BX] 


111 


07 


OF 


17 


IF 


27 


2F 


37 


3F 




BX + SI] 


+ disp8 


000 


40 


48 


50 


58 


60 


68 


70 


78 




BX + DI 


+ disp8 


001 


41 


49 


51 


59 


61 


69 


71 


79 




BP + SI] 


+ disp8 


010 


42 


4A 


52 


5A 


62 


6A 


72 


7A 




BP + DI 


+ disp8 


01 °^^ 
"^ 100 


43 


4B 


53 


5B 


63 


6B 


73 


7B 




Sl] + disp8 


44 


4C 


54 


5C 


64 


6C 


74 


7C 




Dl +disp8 


101 


45 


4D 


55 


5D 


65 


6D 


75 


7D 




BP +disp8 


110 


46 


4E 


56 


5E 


66 


6E 


76 


7E 




BX +disp8 


111 


47 


4F 


57 


5F 


67 


6F 


11 


7F 




[BX + SI]+disp16 


000 


80 


88 


90 


98 


AO 


A8 


BO 


B8 




BX + DI +disp16 


001 


81 


89 


91 


99 


A1 


A9 


B1 


B9 




BX + SI +disp16 


010 


82 


8A 


92 


9A 


A2 


AA 


B2 


BA 




BX + DI +disp16 


10 °^^ 
^° 100 


83 


8B 


93 


9B 


A3 


AB 


B3 


BB 




Sl] + disp16 


84 


8C 


94 


9C 


A4 


AC 


B4 


BC 




Dl +disp16 


101 


85 


8D 


95 


9D 


A5 


AD 


B5 


BD 




BP +disp16 


110 


86 


8E 


96 


9E 


A6 


AE 


B6 


BE 




BX +disp16 


111 


87 


8F 


97 


9F 


A7 


AF 


B7 


BF 


EAX/AX/AL 


000 


CO 


C8 


DO 


D8 


EO 


E8 


FO 


F8 


ECX/CX/CL 


001 


G1 


C9 


Dl 


D9 


EQ 


E9 


F1 


F9 


EDX/DX/DL 


010 


C2 


CA 


D2 


DA 


E2 


EA 


F2 


FA 


EBX/BX/BL 


11 0^^ 

" 100 


C3 


CB 


D3 


DB 


E3 


EB 


F3 


FB 


ESP/SP/AH 


C4 


CC 


D4 


DC 


E4 


EC 


F4 


FC 


EBP/BP/CH 


101 


C5 


CD 


D5 


DD 


E5 


ED 


F5 


FD 


ESI/SI/DH 


110 


C6 


CE 


D6 


DE 


E6 


EE 


F6 


FE 


EDI/DI/BH 


111 


C7 


CF 


D7 


DF 


E7 


EF 


F7 


FF 



NOTES: dispB denotes an 8-bit displacement following the ModR/M byte, to be sign-extended and added 
to the index. disp1 6 denotes a 1 6-bit displacement following the ModR/M byte, to be added to the 
index. Default segment register is SS for the effective addresses containing a BP index, DS for 
other effective addresses. 
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Table 17-3. 32-Bit Addressing Forms with the 1 


\l\o6RIK 


fl Byte 






r8(/r) 


AL 


CL 


DL 


BL 


AH 


CH 


DH 


BH 


r16(/r) 


AX 


CX 


DX 


BX 


SP 


BP 


SI 


Dl 


r32(/r) 


EAX 


ECX 


EDX 


EBX 


ESP 


EBP 


ESI 


EDI 


/digit (Opcode) 





1 


2 


3 


4 


5 


6 


7 


REG = 


000 


001 


010 


Oil 


100 


101 


110 


111 


Effective 
, Address 


ModR/M 




ModR/M Values 


in Hexadecimal 








EAX] 


000 


00 


08 


10 


18 


20 


28 


30 


38 




ECX 


001 


01 


09 


11 


19 


21 


29 


31 


39 




EDX 


010 


02 


OA 


12 


1A 


22 


2A 


32 


3A 




EBX 


00 °^^ 
^° 100 


03 


OB 


13 


IB 


23 


2B 


33 


3B 




..][- 


04 


OC 


14 


1C 


24 


2C 


34 


3C 


disp3'2 


101 


05 


OD 


15 


ID 


25 


2D 


35 


3D 


[ESI 


110 


08 


OE 


16 


IE 


26 


2E 


36 


3E 


[EDI 


111 


07 


OF 


17 


IF 


27 


2F 


37 


3F 


disp8[ 


EAX] 


000 


40 


48 


50 


58 


60 


68 


70 


78 


disp8[ 


ECX 


001 


41 


49 


51 


59 


61 


69 


71 


79 


disp8[ 


EDX 


010 


42 


4A 


52 


5A 


62 


6A 


72 


7A 


disp8[ 


EPX]; 


01 °^^ 
^- 100 


43 


4B 


53 


5B 


63 


6B 


73 


7B 


disp8 


--][- 


44 


4C 


54 


5C 


64 


6C 


74 


7C 


disp8 


ebp] 


101 


45 


4D 


55 


5D 


65 


6D 


75 


7D 


disp8 


ESI 


110 


46 


4E 


56 


5E 


66 


6E 


76 


7E 


disp8 


EDI 


111 


47 


4F 


57 


5F 


67 


6F 


77 


7F 


disp32 


EAX] 




000 


80 


88 


90 


98 


AO 


A8 


BO 


B8 


disp32 


ECX 




001 


81 


89 


91 


99 


A1 


A9 


B1 


B9 


disp32 


EDX 




010 


82 


8A 


92 


9A 


A2 


AA 


B2 


BA 


disp32 


EBX] 




10 °^^ 
^" 100 


83 


8B 


93 


9B 


A3 


AB 


B3 


BB 


disp32 


--][-- 




84 


8C 


94 


9C 


A4 


AC 


B4 


BC 


disp32 


EBP 




101 


85 


8D 


95 


9D 


A5 


AD 


B5 


BD 


disp32 


ESI]' 


110 


86 


8E 


96 


9E 


A6 


AE 


B6 


BE 


disp32 


[EDI 


111 


87 


8F 


97 


9F 


A7 


AF 


B7 


BF 


EAX/AX/AL 


000 


CO 


C8 


DO 


D8 


EO 


E8 


FO 


F8 


ECX/CX/CL 


001 


CI 


C9 


D1 


D9 


El 


E9 


Fl 


F9 


EDX/DX/DL 


010 


C2 


CA 


D2 


DA 


E2 


EA 


F2 


FA 


EBX/BX/BL 


11 °^^ 

^^ 100 


C3 


CB 


D3 


DB 


E3 


EB 


F3 


FB 


ESP/SP/AH 


C4 


CC 


D4 


DC 


E4 


EC 


F4 


FC 


EBP/BP/GH 


101 


C5 


CD 


D5 


DD 


E5 


ED 


F5 


FD 


ESI/SI/DH 


110 


C6 


CE 


D6 


DE 


E6 


EE 


F6 


FE 


EDI/DI/BH 


111 


C7 


CF 


D7 


DF 


E7 


EF 


F7 


FF 



NOTES: HH means a SIB follows the ModR/M byte. dIspB denotes an 8-bit displacennent following the 
SIB byte, to be sign-extended and added to the index. disp32 denotes a 32-bit displacement 
following the ModR/M byute, to be added to the index. 



17-6 



intel' 



386™ DX MICROPROCESSOR INSTRUCTION SET 



Table 17-4. 32-Bit Addressing Forms with the SIB Byte 



r32 




EAX 


ECX 


EDX 


EBX 


ESP 


[*] 


ESI 


EDI 


Base = 







1 


2 


3 


4 


5 


6 


7 


Base = 




000 


001 


010 


Oil 


100 


101 


110 


111 


Scaled Index 


SS Index 






ModR/M Values 


in Hexadecinnal 








EAX] 


000 


00 


01 


02 


03 


04 


05 


06 


07 




ECX 


001 


08 


09 


OA 


OB 


OC 


OD 


OE 


OF 




EDX 


010 


10 


11 


12 


13 


14 


15 


16 


17 




EBX 


nn Oil 
^^ 100 


18 


19 


1A 


IB 


1C 


ID 


IE 


IF 


none 


20 


21 


22 


23 


24 


25 


26 


27 




EBP] 


101 


28 


29 


2A 


2B 


2C 


2D 


2E 


2F 




ESI] 


110 


30 


31 


32 


33 


34 


35 


36 


37 




EDI 


111 


38 


39 


3A 


3B 


3C 


3D 


3E 


3F 




[EAX*2] 


000 


40 


41 


42 


43 


44 


45 


46 


47 




ECX*2 


001 


48 


49 


4A 


4B 


4C 


4D 


4E 


4F 




ECX*2 


010 


50 


51 


52 


53 


54 


55 


56 


57 




EBX*2] 


01 °11 
"^ 100 


58 


59 


5 A 


5B 


5C 


5D 


5E 


5F 


none 


60 


61 


62 


63 


64 


65 


66 


67 




EBP*2] 


101 


68 


69 


6A 


6B 


6C 


6D 


6E 


6F 




ESI*2] 


110 


70 


71 


72 


73 


74 


75 


76 


11 




EDI*2 


111 


78 


79 


7A 


7B 


7C 


7D 


7E 


IF 


EAX*4] 


000 


80 


81 


82 


83 


84 


85 


86 


87 


ECXM 


001 


88 


89 


8A 


8B 


8C 


8D 


8E 


8F 


EDXM 


010 


90 


91 


92 


93 


94 


95 


96 


97 


EBX*4 


10 °11 
^" 100 


98 


89 


9A 


9B 


9C 


9D 


9E 


9F 


none 


AO 


A1 


A2 


A3 


A4 


A5 


A6 


M 


EBPM] 


101 


A8 


A9 


AA 


AB 


AC 


AD 


AE 


AF 


ESIM] 


110 


BO 


B1 


B2 


B3 


B4 


B5 


B6 


B7 


EDIM 


111 


B8 


B9 


BA 


BB 


BC 


BD 


BE 


BF 




EAX*8] 


000 


CO 


CI 


C2 


C3 


C4 


C5 


C6 


C7 




ECX*8 


001 


C8 


C9 


CA 


CB 


CC 


CD 


CE 


CF 




EDX*8 


010 


DO 


D1 


D2 


D3 


D4 


D5 


D6 


D7 




EBX*8 


11 oil 

^^ 100 


D8 


D9 


DA 


DB 


DC 


DD 


DE 


DF 


hone 


EO 


El 


E2 


E3 


E4 


E5 


E6 


E7 




EBP*8] 


101 


E8 


E9 


EA 


EB 


EC 


ED 


EE 


EF 




ESI*8] 


110 


FO 


F1 


F2 


F3 


F4 


F5 


F6 


F7 




EDI*8 


111 


F8 


F9 


FA 


FB 


FC 


FD 


FE 


FF 



NOTES: [*] means a disp32 with no base if MOD is 00, 
addressing modes: 
disp32[index] (MOD = 00) 

disp8[EBP] [index] (MOD = 01) 

disp32[EBP] [index] (MOD = 10) 



[ESP] otherwise. This provides the following 
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17.2.2 How to Read the Instruction Set Pages 

The following is an example of the format used for each 386 DX microprocessor instruc- 
tion description in this chapter: 



CMC — Complement Carry Flag 



Opcode Instruction Clocks Description 

F5 CMC 2 Complement carry flag 



The above table is followed by paragraphs labelled "Operation," "Description," "Flags 
Affected," "Protected Mode Exceptions," "Real Address Mode Exceptions," and, 
optionally, "Notes." The following sections explain the notational conventions and 
abbreviations used in these paragraphs of the instruction descriptions. 

17.2.2.1 OPCODE 

The "Opcode" column gives the complete object code produced for each form of the 
instruction. When possible, the codes are given as hexadecimal bytes, in the same order 
in which they appear in memory. Definitions of entries other than hexadecimal bytes are 
as follows: 

/digit: (digit is between and 7) indicates that the ModR/M byte of the instruction uses 
only the r/m (register or memory) operand. The reg field contains the digit that provides 
an extension to the instruction's opcode. 

/r: indicates that the ModR/M byte of the instruction contains both a register operand 
and an r/m operand. 

cb, cw, cd, cp: a 1-byte (cb), 2-byte (cw), 4-byte (cd) or 6-byte (cp) value following the 
opcode that is used to specify a code offset and possibly a new value for the code 
segment register. 

ib, iw, id: a 1-byte (ib), 2-byte (iw), or 4-byte (id) immediate operand to the instruction 
that follows the opcode, ModR/M bytes or scale-indexing bytes. The opcode determines 
if the operand is a signed value. All words and doublewords are given with the low-order 
byte first. 

+ rb, +rw, +rd: a register code, from through 7, added to the hexadecimal byte given 
at the left of the plus sign to form a single opcode byte. The codes are — 



rb 


rw 


rd 




AL = 


AX = 


EAX = 





CL = 1 


CX = 1 


ECX = 


1 


DL = 2 


DX = 2 


EDX = 


2 


BL = 3 


BX = 3 


EBX = 


3 
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rb 




rw 


r 


d 


AH = 


4 


SP = 4 


ESP 


= 4 


CH = 


5 


BP = 5 


EBP 


= 5 


DH = 


6 


SI = 6 


ESI 


= 6 


BH = 


7 


DI = 7 


EDI 


= 7 



17.2.2.2 INSTRUCTION 

The "Instruction" column gives the syntax of the instruction statement as it would 
appear in an ASM386 program. The following is a list of the symbols used to represent 
operands in the instruction statements: 

rel8: a relative address in the range from 128 bytes before the end of the instruction to 
127 bytes after the end of the instruction. 

rell6, rel32: a relative address within the same code segment as the instruction assem- 
bled. rell6 applies to instructions with an operand-size attribute of 16 bits; rel32 applies 
to instructions with an operand-size attribute of 32 bits. 

ptrl6:16, ptrl6:32: a far pointer, typically in a code segment different from that of the 
instruction. The notation 16:16 indicates that the value of the pointer has two parts. The 
value to the right of the colon is a 16-bit selector or value destined for the code segment 
register. The value to the left corresponds to the offset within the destination segment. 
ptrl6:16 is used when the instruction's operand-size attribute is 16 bits; ptrl6:32 is used 
with the 32-bit attribute. 

r8: one of the byte registers AL, CL, DL, BL, AH, CH, DH, or BH. 

rl6: one of the word registers AX, CX, DX, BX, SP, BP, SI, or DI. 

r32: one of the doubleword registers EAX, ECX, EDX, EBX, ESP, EBP, ESI, or EDI. 

immS: an immediate byte value. immS is a signed number between — 128 and + 127 
inclusive. For instructions in which immS is combined with a word or doubleword oper- 
and, the immediate value is sign-extended to form a word or doubleword. The upper 
byte of the word is filled with the topmost bit of the immediate value. 

imml6: an immediate word value used for instructions whose operand-size attribute is 
16 bits. This is a number between —32768 and +32767 inclusive. 

imm32: an immediate doubleword value used for instructions whose operand-size at- 
tribute is 32-bits. It allows the use of a number between +2147483647 and -2147483648 
inclusive. 

r/m8: a one-byte operand that is either the contents of a byte register (AL, BL, CL, DL, 
AH, BH, CH, DH), or a byte from memory. 
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r/ml6: a word register or memory operand used for instructions whose operand-size 
attribute is 16 bits. The word registers are: AX, BX, CX, DX, SP, BP, SI, DI. The 
contents of memory are found at the address provided by the effective address 
computation. 

r/m32: a doubleword register or memory operand used for instructions whose operand- 
size attribute is 32-bits. The doubleword registers are: EAX, EBX, ECX, EDX, ESP, 
EBP, ESI, EDI. The contents of memory are found at the address provided by the 
effective address computation. 

m8: a memory byte addressed by DS:SI or ES:DI (used only by string instructions). 

ml6: a memory word addressed by DS:SI or ES:DI (used only by string instructions). 

m32: a memory doubleword addressed by DS:SI or ES:DI (used only by string 
instructions). 

ml6:16, ml6:32: a memory operand containing a far pointer composed of two numbers. 
The number to the left of the colon corresponds to the pointer's segment selector. The 
number to the right corresponds to its offset. 

ml6&32, ml6&16, m32&32: a memory operand consisting of data item pairs whose sizes 
are indicated on the left and the right side of the ampersand. All memory addressing 
modes are allowed. ml6&16 and m32&32 operands are used by the BOUND instruction 
to provide an operand containing an upper and lower bounds for array indices. ml6&32 
is used by LIDT and LGDT to provide a word with which to load the limit field, and a 
doubleword with which to load the base field of the corresponding Global and Interrupt 
Descriptor Table Registers. 

moffsS, moffsl6, moffs32: (memory offset) a simple memory variable of type BYTE, 
WORD, or DWORD used by some variants of the MOV instruction. The actual address 
is given by a simple offset relative to the segment base. No ModR/M byte is used in the 
instruction. The number shown with moffs indicates its size, which is determined by the 
address-size attribute of the instruction. 

Sreg: a segment register. The segment register bit assignments are ES = 0, CS = 1, SS = 2, 
DS = 3, FS = 4, andGS-5. 

17.2.2.3 CLOCKS 

The "Clocks" column gives the number of clock cycles the instruction takes to execute. 
The clock count calculations makes the following assumptions: 

• The instruction has been prefetched and decoded and is ready for execution. 

• Bus cycles do not require wait states. 
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• There are no local bus HOLD requests delaying processor access to the bus. 

• No exceptions are detected during instruction execution. 

• Memory operands are aligned. 

Clock counts for instructions that have an r/m (register or memory) operand are sepa- 
rated by a slash. The count to the left is used for a register operand; the count to the 
right is used for a memory operand. 

The following symbols are used in the clock count specifications: 

• n, which represents a number of repetitions. 

9 m, which represents the number of components in the next instruction executed, 
where the entire displacement (if any) counts as one component, the entire immedi- 
ate data (if any) counts as one component, and every other byte of the instruction and 
prefix(es) each counts as one component. 

• pin = , a clock count that applies when the instruction executes in Protected Mode. 
pm = is not given when the clock counts are the same for Protected and Real Address 
Modes. 

When an exception occurs during the execution of an instruction and the exception 
handler is in another task, the instruction execution time is increased by the number of 
clocks to effect a task switch. This parameter depends on several factors: 

• The type of TSS used to represent the current task (386 DX TSS or 80286 TSS). 

• The type of TSS used to represent the new task. 

• Whether the current task is in V86 mode. 

• Whether the new task is in V86 mode. 

Table 17-5 summarizes the task switch times for exceptions. 

Table 17-5. Task Switch Times for Exceptions 



Old Task 


New Task 


386™ DX TSS 
VM = 


80286 TSS 


386DX vM=:0 


309 


282 


386DX VM = 1 


314 


231 


80286 
TSS 


307 


282 
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17.2.2.4 DESCRIPTION 

The "Description" column following the "Clocks" column briefly explains the various 
forms of the instruction. The "Operation" and "Description" sections contain more 
details of the instruction's operation. 

17.2.2.5 OPERATION 

The "Operation" section contains an algorithmic description of the instruction which 
uses a notation similar to the Algol or Pascal language. The algorithms are composed of 
the following elements: 

Comments are enclosed within the symbol pairs "(*" and "*)". 

Compound statements are enclosed between the keywords of the "if" statement (IF, 
THEN, ELSE, FI) or of the "do" statement (DO, OD), or of the "case" statement 
(CASE ... OF, ESAC). 

A register name implies the contents of the register. A register name enclosed in brack- 
ets implies the contents of the location whose address is contained in that register. For 
example, ES:[DI] indicates the contents of the location whose ES segment relative ad- 
dress is in register DI. [SI] indicates the contents of the address contained in register SI 
relative to Si's default segment (DS) or overridden segment. 

Brackets also used for memory operands, where they mean that the contents of the 
memory location is a segment-relative offset. For example, [SRC] indicates that the 
contents of the source operand is a segment-relative offset. 

A <- B; indicates that the value of B is assigned to A. 

The symbols =, < >, >, and < are relational operators used to compare two values, 
meaning equal, not equal, greater or equal, less or equal, respectively. A relational ex- 
pression such as A = B is TRUE if the value of A is equal to B; otherwise it is FALSE. 

The following identifiers are used in the algorithmic descriptions: 

• OperandSize represents the operand-size attribute of the instruction, which is either 
16 or 32 bits. AddressSize represents the address-size attribute, which is either 16 or 
32 bits. For example, 

IF instruction = CiVIPSW 
THEN OperandSize <- 16; 
ELSE 

IF instruction - CMPSD 

THEN OperandSize ^ 32; 

FI; 
FI; 
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indicates that the operand-size attribute depends on the form of the CMPS instruc- 
tion used. Refer to the explanation of address-size and operand-size attributes at the 
beginning of this chapter for general guidelines on how these attributes are 
determined. 

• StackAddrSize represents the stack address-size attribute associated with the instruc- 
tion, which has a value of 16 or 32 bits, as explained earlier in the chapter. 

• SRC represents the source operand. When there are two operands, SRC is the one on 
the right. 

• DEST represents the destination operand. When there are two operands, DEST is 
the one on the left. 

• LeftSRC, RightSRC distinguishes between two operands when both are source 
operands. 

• eSP represents either the SP register or the ESP register depending on the setting of 
the B-bit for the current stack segment. 

The following functions are used in the algorithmic descriptions: 

® Truncate to 16 bits(value) reduces the size of the value to fit in 16 bits by discarding 
the uppermost bits as needed. 

© Addr(operand) returns the effective address of the operand (the result of the effec- 
tive address calculation prior to adding the segment base). 

• ZeroExtend (value) returns a value zero-extended to the operand-size attribute of the 
instruction. For example, if OperandSize = 32, ZeroExtend of a byte value of —10 
converts the byte from F6H to doubleword with hexadecimal value 000000F6H. If the 
value passed to ZeroExtend and the operand-size attribute are the same size, 
ZeroExtend returns the value unaltered. 

• SignExtend(value) returns a value sign-extended to the operand-size attribute of the 
instruction. For example, if OperandSize = 32, SignExtend of a byte containing the 
value — 10 converts the byte from F6H to a doubleword with hexadecimal value 
FFFFFFF6H. If the value passed to SignExtend and the operand-size attribute are 
the same size, SignExtend returns the value unaltered. 

• Push(value) pushes a value onto the stack. The number of bytes pushed is deter- 
mined by the operand-size attribute of the instruction. The action of Push is as 
follows: 

IF StackAddrSize = 16 
THEN 

IF OperandSize = 16 
THEN 

SP ^ SP - 2; 

SS:[SP] <- value; (* 2 bytes assigned starting at 
byte address in SP *) 
ELSE (* OperandSize = 32 *) 
SP^SP - 4; 

SS:[SP] ^ value; (* 4 bytes assigned starting at 
byte address in SP *) 
Fl; 
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ELSE (* StackAddrSize = 32 *) 
IF OperandSize =16 
THEN 

ESP <- ESP - 2; 

SS:[ESP] ^ value; (* 2 bytes assigned starting at 
byte address in ESP*) 
ELSE (* OperandSize = 32 *) 
ESP ^ ESP - 4; 

SS:[ESP] ^ value; (* 4 bytes assigned starting at 
byte address in ESP*) 
Fl; 

• Pop(value) removes the value from the top of the stack and returns it. The statement 
EAX <- Pop( ); assigns to EAX the 32-bit value that Pop took from the top of the 
stack. Pop will return either a word or a doubleword depending on the operand-size 
attribute. The action of Pop is as follows: 

IF StackAddrSize = 16 
THEN 

IF OperandSize =16 
THEN 

ret val <- SS:[SP]; (* 2-byte value *) 
SP <- SP + 2; 
ELSE (* OperandSize = 32 *) 

ret val <- SS:[SP]; (* 4-byte value *) 
SP ^ SP + 4; 
Fl; 
ELSE (* StackAddrSize = 32 *) 
IF OperandSize = 16 
THEN 

ret val <- SS:[ESP]; (* 2 bytes value *) 
ESP <- ESP + 2; 
ELSE (* OperandSize = 32 *) 

ret val ^ SS:[ESP]; (* 4 bytes value *) 
ESP<- ESP + 4; 
Fl; 
Fl; 
RETURN(ret val); (*returns a word or doubleword*) 

• Bit[BitBase, BitOffset] returns the address of a bit within a bit string, which is a 
sequence of bits in memory or a register. Bits are numbered from low-order to high- 
order within registers and within memory bytes. In memory, the two bytes of a word 
are stored with the low-order byte at the lower address. 

If the base operand is a register, the offset can be in the range 0..31. This offset 
addresses a bit within the indicated register. An example, "BIT[EAX, 21]" is illus- 
trated in Figure 17-3. 
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Figure 17-3. Bit Offset for BIT[EAX,21] 

If BitBase is a memory address, BitOffset can range from —2 gigabits to 2 gigabits. 
The addressed bit is numbered (Offset MOD 8) within the byte at address (BitBase 
+ (BitOffset DIV 8)), where DIV is signed division with rounding towards negative 
infinity, and MOD returns a positive number. This is illustrated in Figure 17-4. 

• I-0-Permission(I-0-Address, width) returns TRUE or FALSE depending on the I/O 
permission bitmap and other factors. This function is defined as follows: 

IF TSS type is 80286 THEN RETURN FALSE; Fl; 
Ptr <- [TSS + 66]; (* fetch bitmap pointer *) 
BitStringAddr ^ SHR (l-0-Address, 3) + Ptr; 
MaskShift <- l-0-Address AND 7; 
CASE width OF: 

BYTE: nBitiVlask ^ 1 ; 

WORD: nBitMask^3; 

DWORD: nBitMask^ 15; 
ESAC; 

mask ^ SHL (nBitiVlask, MaskShift); 
CheckString ^ [BitStringAddr] AND mask; 
IF CheckString = 
THEN RETURN (TRUE); 
ELSE RETURN (FALSE); 

• Switch-Tasks is the task switching function described in Chapter 7. 

17.2.2.6 DESCRIPTION 

The "Description" section contains further explanation of the instruction's operation. 

17.2.2.7 FLAGS AFFECTED 

The "Flags Affected" section lists the flags that are affected by the instruction, as 
follows: 

• If a flag is always cleared or always set by the instruction, the value is given (0 or 1) 
after the flag name. Arithmetic and logical instructions usually assign values to the 
status flags in the uniform manner described in Appendk C. Nonconventional assign- 
ments are described in the "Operation" section. 
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BIT INDEXING (POSITIVE OFFSET) 




76543210765432 1076543210 




1 1! 1 


1 


1 BITBASE + 1 1 BITBASE 


BITBASE - 1 1 


BIT INDEXING (NEGATIVE OFFSET) 




7654321076543210 7 6 543210 




1 


1 II 1 


1 BITBASE 


BITBASE - 1 1 BITBASE - 2 1 
1 OFFSET =-11 J 




2403311 



Figure 17-4. Memory Bit Indexing 

• The values of flags listed as "undefineci" may be changed by the instruction in an 
indeterminate manner. 

All flags not listed are unchanged by the instruction. 

17.2.2.8 PROTECTED MODE EXCEPTIONS 

This section lists the exceptions that can occur when the instruction is executed in 
386 DX microprocessor Protected Mode. The exception names are a pound sign (#) 
followed by two letters and an optional error code in parentheses. For example, #GP(0) 
denotes a general protection exception with an error code of 0. Table 17-6 associates 
each two-letter name with the corresponding interrupt number. 

Chapter 9 describes the exceptions and the 386 DX microprocessor state upon entry to 
the exception. 

Table 17-6. 386''' DX Microprocessor Exceptions 



Mnemonic 


Interrupt 


Description 


#UD 


6 


Invalid opcode 


#NM 


7 


Coprocessor not available 


#DF 


8 


Double fault 


#TS 


10 


Invalid TSS 


#NP 


11 


Segment or gate not present 


#SS 


12 


Stack fault 


#GP 


13 


General protection fault 


#PF 


14 


Page fault 


#MF 


16 


Math (coprocessor) fault 
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Application programmers should consult the documentation provided with their operat- 
ing systems to determine the actions taken when exceptions occur. 

17.2.2.9 REAL ADDRESS MODE EXCEPTIONS 

Because less error checking is performed by the 386 DX microprocessor in Real Address 
Mode, this mode has fewer exception conditions. Refer to Chapter 14 for further infor- 
mation on these exceptions. 

17.2.2.10 VIRTUAL-8086 MODE EXCEPTIONS 

Virtual 8086 tasks provide the ability to simulate Virtual 8086 machines. Virtual 8086 
Mode exceptions are similar to those for the 8086 processor, but there are some differ- 
ences. Refer to Chapter 15 for details. 
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AAA- 


-ASCII Adjust after Addition 


Opcode 

37 


Instruction Clocks Description 

AAA 4 ASCII adjust AL after addition 



Operation 

IF ((AL AND OFH) > 9) OR (AF = 1) 
THEN 

AL^ (AL + 6) AND OFH; 

AH ^ AH + 1 ; 

AF<- 1; 

CF<- 1; 
ELSE 

CF^O; 

AF <- 0; 
Fl; 

Description 

Execute the AAA instruction only following an ADD instruction that leaves a byte result 
in the AL register. The lower nibbles of the operands of the ADD instruction should be 
in the range through 9 (BCD digits). In this case, the AAA instruction adjusts the AL 
register to contain the correct decimal digit result. If the addition produced a decimal 
carry, the AH register is incremented, and the CF and AF flags are set. If there was no 
decimal carry, the CF and AF flags are cleared and the AH register is unchanged. In 
either case, the AL register is left with its top nibble set to 0. To convert the AL register 
to an ASCII result, follow the AAA instruction with OR AL, 30H. 

Flags Affected 

The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal 
carry; the OF, SF, ZF, and PF flags are undefined 

Protected Mode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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AAD -ASCII Adjust AX before Division 



Opcode Instruction Clocks Description 

D5 OA AAD 19 ASCII adjust AX before division 



Operation 

AL^ AH * 10 + AL; 
AH <-0; 

Description 

The AAD instruction is used to prepare two unpacked BCD digits (the least-significant 
digit in the AL register, the most-significant digit in the AH register) for a division 
operation that will yield an unpacked result. This is accomplished by setting the AL 
register to AL + (10 * AH), and then clearing the AH register. The AX register is then 
equal to the binary equivalent of the original unpacked two-digit number. 

Flags Affected 

The SF, ZF, and PF flags are set according to the result; the OF, AF, and CF flags are 
undefined 

Protected Mode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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AAM - ASCII Adjust AX after Multiply 



Opcode Instruction Clocks Description 

D4 OA AAM 17 ASCII adjust AX after multiply 



Operation 

AH^AL/10; 
AL^ALMODIO; 

Description 

Execute the AAM instruction only after executing a MUL instruction between two un- 
packed BCD digits that leaves the result in the AX register. Because the result is less 
than 100, it is contained entirely in the AL register. The AAM instruction unpacks the 
AL result by dividing AL by 10, leaving the quotient (most-significant digit) in the AH 
register and the remainder (least-significant digit) in the AL register. 

Flags Affected 

The SF, ZF, and PF flags are set according to the result; the OF, AF, and CF flags are 
undefined 

Protected IVIode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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AAS -ASCII Adjust AL after Subtraction 



Opcode Instruction Clocks Description 

3F AAS 4 ASCII adjust AL after subtraction 



Operation 

IF (AL AND OFH) > 9 OR AF = 1 
THEN 

AL ^ AL - 6; 

AL^ ALAND OFH; 

AH ^ AH - 1 ; 

AF ^ 1 ; 

CF^ 1; 
ELSE 

CF ^ 0; 

AF <- 0; 
Fl; 

Description 

Execute the AAS instruction only after a SUB instruction that leaves the byte result in 
the AL register. The lower nibbles of the operands of the SUB instruction must have 
been in the range through 9 (BCD digits). In this case, the AAS instruction adjusts the 
AL register so it contains the correct decimal digit result. If the subtraction produced a 
decimal carry, the AH register is decremented, and the CF and AF flags are set. If no 
decimal carry occurred, the CF and AF flags are cleared, and the AH register is un- 
changed. In either case, the AL register is left with its top nibble set to 0. To convert the 
AL result to an ASCII result, follow the AAS instruction with OR AL, 30H. 

Flags Affected 

The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal 
carry; the OF, SF, ZF, and PF flags are undefined 

Protected Mode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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ADC -Add With Carry 



Opcode 


Instruction 


Clocks 


Description 


14 ib 


ADC AL, imm8 


2 


Add with carry immediate byte to AL 


15 iw 


ADC AX, imm 16 


2 


Add witii carry immediate word to AX 


15 id 


ADC EAX, imm32 


2 


Add witli carry immediate dword to EAX 


80 /2 ib 


ADC r/m8,imm8 


2/7 


Add witli carry immediate byte to r/m byte 


81 /2 iw 


ADC r/m16,imm16 


2/7 


Add witli carry immediate word to r/m word 


81 /2 /of 


ADC r/m32,imm32 


2/7 


Add with CF immediate dword to r/m dword 


83 /2 /Jb 


ADC r/m16,imm8 


2/7 


Add with CF sign-extended immediate byte to r/m word 


83 /2 /5 


ADC r/m32,imm8 


2/7 


Add with CF sign-extended immediate byte into r/m dword 


10 /r 


ADC r/m8,r8 


2/7 


Add with carry byte register to r/m byte 


11 /r 


ADC r/m16,r16 


2/7 


Add with carry word register to r/m word 


11 /r 


ADC r/m32,r32 


2/7 


Add with CF dword register to r/m dword 


12 /r 


ADC r8,r/m8 


2/6 


Add with carry r/m byte to byte register 


13 /r 


ADC r16,r/m16 


2/6 


Add with carry r/m word to word register 


13 Ir 


ADC r32,r/m32 


2/6 


Add with CF r/m dword to dword register 



Operation 

DEST ^ DEST + SRC + CF; 

Description 

The ADC instruction performs an integer addition of the two operands DEST and SRC 
and the carry flag, CF. The result of the addition is assigned to the first operand 
(DEST), and the flags are set accordingly. The ADC instruction is usually executed as 
part of a multi-byte or multi-word addition operation. When an immediate byte value is 
added to a word or doubleword operand, the immediate value is first sign-extended to 
the size of the word or doubleword operand. 

Flags Affected 

The OF, SF, ZF, AF, CF, and PF flags are set according to the result 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address IVlode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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ADD -Add 



Opcode 


Instruction 


Clocks 


Description 


04 ib 


ADD Al, imm8 


2 


Add immediate byte to AL 


05 iw 


ADD AX,imm16 


2 


Add immediate word to AX 


05 id 


ADD EAX,imm32 


2 


Add immediate dword to EAX 


80 /O ib 


ADD r/m8,imm8 


2/7 


Add immediate byte to r/m byte 


81 /O iw 


ADD r/m16,imm16 


2/7 


Add immediate word to r/m word 


81 /O id 


ADD r/m32,imm32 


2/7 


Add immediate dword to r/m dword 


83 /O //^ 


ADD r/m16,imm8 


2/7 


Add sign-extended immediate byte to r/m word 


83/0/5 


ADD r/m32,imm8 


2/7 


Add sign-extended immediate byte to r/m dword 


00 /r 


ADD r/m8,r8 


2/7 


Add byte register to r/m byte 


01 /r 


ADD r/m16,r16 


2/7 


Add word register to r/m word 


01 Ir 


ADD r/m32,r32 


2/7 


Add dword register to r/m dword 


02 /r 


ADD r8,r/m8 


2/6 


Add r/m byte to byte register 


03 /r 


ADD r16,r/m16 


2/6 


Add r/m word to word register 


03 /r 


ADD r32,r/m32 


2/6 


Add r/m dword to dword register 



Operation 

DEST ^ DEST + SRC; 

Description 

The ADD instruction performs an integer addition of the two operands (DEST and 
SRC). The result of the addition is assigned to the first operand (DEST), and the flags 
are set accordingly. 

When an immediate byte is added to a word or doubleword operand, the immediate 
value is sign-extended to the size of the word or doubleword operand. 

Flags Affected 

The OF, SF, ZF, AF, CF, and PF flags are set according to the result 

Protected SVlode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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AND -Logical AND 



Opcode 


Instruction 


Clocks 


Description 


24 ib 


AND M,imm8 


2 


AND immediate byte to AL 


25 iw 


AND AX,imm16 


2 


AND immediate word to AX 


25 id 


AND EAX,imm32 


2 


AND immediate dword to EAX 


80 /4 ib 


AND r/m8,imm8 


2/7 


AND immediate byte to r/m byte 


81 /4iw 


AND r/m16,imm16 


2/7 


AND immediate word to r/m word 


81 /4 /cf 


AND r/m32,imm32 


2/7 


AND immediate dword to r/m dword 


83 /4 /t» 


AND r/m16,imm8 


2/7 


AND sign-extended immediate byte with r/m word 


83 /4 /fc> 


AND r/m32,imm8 


2/7 


AND sign-extended immediate byte with r/m dword 


20 A 


AND r/i7?8,r5 


2/7 


AND byte register to r/m byte 


21 Ir 


AND r/m16,r16 


2/7 


AND word register to r/m word 


21 /r 


AND r/m32,r32 


2/7 


AND dword register to r/m dword 


22 Ir 


AND r8,r/ma 


2/6 


AND r/m byte to byte register 


23 /r 


AND r16,r/m16 


2/6 


AND r/m word to word register 


23 /r 


AND r32,r/m32 


2/6 


AND r/m dword to dword register 



Operation 

DEST <- DEST AND SRC; 

CF ^ 0; 

OF^O; 

Description 

Each bit of the result of the AND instruction is a 1 if both corresponding bits of the 
operands are 1; otherwise, it becomes a 0. 

Flags Affected 

The CF and OF flags are cleared; the PF, SF, and ZF flags are set according to the 
result 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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ARPL- Adjust RPL Field of Selector 



Opcode Instruction Clocks Description 

63 Ir ARPL r/m16,r16 pm= 20/21 Adjust RPL of r/m16\o not less than RPL of r16 



Operation 

IF RPL bits(0.1) of DEST < RPL bits(0,1) of SRC 
THEN 

ZF ^ 1 ; 

RPL bits(0,1) of DEST ^ RPL bits(0,1) of SRC; 
ELSE 

ZF ^ 0; 
Fl; 



Description 

The ARPL instruction has two operands. The first operand is a 16-bit memory variable 
or word register that contains the value of a selector. The second operand is a word 
register. If the RPL field ("requested privilege level" — bottom two bits) of the first 
operand is less than the RPL field of the second operand, the ZF flag is set and the RPL 
field of the first operand is increased to match the second operand. Otherwise, the ZF 
flag is cleared and no change is made to the first operand. 

The ARPL instruction appears in operating system software, not in application pro- 
grams. It is used to guarantee that a selector parameter to a subroutine does not request 
more privilege than the caller is allowed. The second operand of the ARPL instruction is 
normally a register that contains the CS selector value of the caller. 

Flags Affected 

The ZF flag is set if the RPL field of the first operand is less than that of the second 
operand 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 6; the ARPL instruction is not recognized in Real Address Mode 
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Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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BOUND 


— Check Array Index Against Bounds 


Opcode 

62 Ir 
62 Ir 


Instruction 

BOUND r16,m16&16 
BOUND r32,m32&32 


Clocks 

10 
10 


Description 

Check if r16 is within bounds (passes test) 
Check if r32 is within bounds (passes test) 



Operation 

IF (LeftSRC < [RightSRC] OR LeftSRC > [RightSRC + OperandSize/8]) 

(* Under lower bound or over upper bound *) 
THEN Interrupt 5; 
Fl; 

Description 

The BOUND instruction ensures that a signed array index is within the Hmits specified 
by a block of memory consisting of an upper and a lower bound. Each bound uses one 
word when the operand-size attribute is 16 bits and a doubleword when the operand-size 
attribute is 32 bits. The first operand (a register) must be greater than or equal to the 
first bound in memory (lower bound), and less than or equal to the second bound in 
memory (upper bound) plus the number of bytes occupied for the operand size. If the 
register is not within bounds, an Interrupt 5 occurs; the return EIP points to the 
BOUND instruction. 

The bounds limit data structure is usually placed just before the array itself, making the 
limits addressable via a constant offset from the beginning of the array. 

Flags Affected 

None 

Protected Mode Exceptions 

Interrupt 5 if the bounds test fails, as described above; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 
address in the SS segment; #PF(fault-code) for a page fault 

The second operand must be a memory operand, not a register. If the BOUND instruc- 
tion is executed with a ModR/M byte representing a register as the second operand, 
#UD occurs. 

Real Address Mode Exceptions 

Interrupt 5 if the bounds test fails; Interrupt 13 if any part of the operand would lie 
outside of the effective address space from to OFFFFH; Interrupt 6 if the second 
operand is a register 
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Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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BSF — Bit Scan Forward 



Opcode 

OF BC 
OF BC 



Instruction 

BSF r16,r/m16 
BSF r32,r/m32 



Clocks 

11+3r7 
11+3n 



Description 

Bit scan forward on r/m word 
Bit scan forward on r/m dword 



Notes 

n is the number of leading zero bits. 

Operation 

IF r/m = 
THEN 

ZF^1; 

register ^ UNDEFINED; 
ELSE 

temp ^ 0; 

ZF ^ 0; 

WHILE BIT[r/m, temp = 0] 

DO 
temp <- temp + 1 ; 
register ^ temp; 

CD; 
Fl; 

Description 

The BSF instruction scans the bits in the second word or doubleword operand starting 
with bit 0. The ZF flag is set if all the bits are 0; otherwise, the ZF flag is cleared and the 
destination register is loaded with the bit index of the first set bit. 

Flags Affected 

The ZF flag is set if all bits are 0; otherwise, the ZF flag is cleared 

Protected Mode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 
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Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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BSR — Bit Scan Reverse 



Opcode Instruction Clocks Description 

OF BD BSR r16,r/m16 9 + 3n Bit scan reverse on r/m word 

OF BD BSR r32,r/m32 9 + 3/7 Bit scan reverse on r/m dword 



Operation 

IF r/m =0 
THEN 

ZF^1; 

register <- UNDEFINED; 
ELSE 

teiTip <- OperandSize - 1 ; 

ZF ^ 0; 

WHILE BIT[r/A77, temp] = 

DO 
temp ^ temp - 1; 
register ^ temp; 

OD; 
Fl; 

Description 

The BSR instruction scans the bits in the second word or doubleword operand from the 
most significant bit to the least significant bit. The ZF flag is set if all the bits are 0; 
otherwise, the ZF flag is cleared and the destination register is loaded with the bit index 
of the first set bit found when scanning in the reverse direction. 

Flags Affected 

The ZF flag is set if all bits are 0; otherwise, the ZF flag is cleared 

Protected IVIode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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BT- Bit Test 



Opcode 

OF A3 
OF A3 
OF BA /4 ib 
OF BA /4 ib 


Instruction 

BT r/m16,r16 
BT r/m32.r32 
BT r/m16,imm8 
BT r/m32,imm8 


Clocks 

3/12 
3/12 
3/6 
3/6 


Description 

Save bit in carry flag 
Save bit in carry flag 
Save bit in carry flag 
Save bit in carry flag 



Operation 

CF ^ BIT[LeftSRC, RightSRC]; 

Description 

The BT instruction saves the value of the bit indicated by the base (first operand) and 
the bit offset (second operand) into the CF flag. 

Flags Affected 

The CF flag contains the value of the selected bit 

Protected IVIode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 

Notes 

The index of the selected bit can be given by the immediate constant in the instruction 
or by a value in a general register. Only an 8-bit immediate value is used in the instruc- 
tion. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This 
allows any bit within a register to be selected. For memory bit strings, this immediate 
field gives only the bit offset within a word or doubleword. Immediate bit offsets larger 
than 31 are supported by using the immediate bit offset field in combination with the 
displacement field of the memory operand. The low-order 3 to 5 bits of the immediate 
bit offset are stored in the immediate bit offset field, and the high-order 27 to 29 bits are 
shifted and combined with the byte displacement in the addressing mode. 

17-32 



Intel' 



386^rDX MICROPROCESSOR INSTRUCTION SET 



When accessing a bit in memory, the 386 DX microprocessor may access four bytes 
starting from the memory address given by: 

Effective Address + (4 * (BitOffset DIV 32)) 

for a 32-bit operand size, or two bytes starting from the memory address given by: 

Effective Address + (2 * (BitOffset DIV 16)) 

for a 16-bit operand size. It may do so even when only a single byte needs to be accessed 
in order to reach the given bit. You must therefore avoid referencing areas of memory 
close to address space holes. In particular, avoid references to memory-mapped I/O 
registers. Instead, use the MOV instructions to load from or store to these addresses, 
and use the register form of these instructions to manipulate the data. 
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BTC — Bit Test and Complement 



opcode 

OF BB 
OF BB 
OF BA 17 ib 
OF BA /7 ib 



Instruction 

BTC r/m16,r16 
BTC r/m32,r32 
BTC r/m16,imm8 
BTC r/m32,imm8 



Clocks 

6/13 
6/13 
6/8 
6/8 



Description 

Save bit in carry flag and complement 
Save bit in carry flag and complement 
Save bit in carry flag and complement 
Save bit in carry flag and complement 



Operation 

CF <- BIT[LeftSRC, RightSRC]; 

BIT[LeftSRC. RightSRC] ^ NOT BIT[LeftSRC, RightSRC]; 

Description 

The BTC instruction saves the value of the bit indicated by the base (first operand) and 
the bit offset (second operand) into the CF flag and then complements the bit. 

Flags Affected 

The CF flag contains the complement of the selected bit 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 

Notes 

The index of the selected bit can be given by the immediate constant in the instruction 
or by a value in a general register. Only an 8-bit immediate value is used in the instruc- 
tion. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This 
allows any bit within a register to be selected. For memory bit strings, this immediate 
field gives only the bit offset within a word or doubleword. Immediate bit offsets larger 
than 31 are supported by using the immediate bit offset field in combination with the 
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displacement field of the memory operand. The low-order 3 to 5 bits of the immediate 
bit offset are stored in the immediate bit offset field, and the high-order 27 to 29 bits are 
shifted and combined with the byte displacement in the addressing mode. 

When accessing a bit in memory, the 386 DX microprocessor may access four bytes 
starting from the memory address given by: 

Effective Address + (4 * (BitOffset DIV 32)) 

for a 32-bit operand size, or two bytes starting from the memory address given by: 

Effective Address + (2 * (BitOffset DIV 16)) 

for a 16-bit operand size. It may do so even when only a single byte needs to be accessed 
in order to reach the given bit. You must therefore avoid referencing areas of memory 
close to address space holes. In particular, avoid references to memory-mapped I/O 
registers. Instead, use the MOV instructions to load from or store to these addresses, 
and use the register form of these instructions to manipulate the data. 
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BTR- 


Bit Test and Reset 




Opcode 

OF B3 
OF B3 
OF BA /6 ib 
OF BA /6 ib 


Instruction 

BTR r/m16,r16 
BTR r/m32,r32 
BTR r/m16,imm8 
BTR r/m32,imm8 


Clocks 

6/13 
6/13 
6/8 
6/8 


Description 

Save bit in carry flag and reset 
Save bit in carry flag and reset 
Save bit in carry flag and reset 
Save bit in carry flag and reset 



Operation 

CF <- BIT[LeftSRC, RightSRC]; 
BIT[LeftSRC, RightSRC] <- 0; 

Description 

The BTR instruction saves the value of the bit indicated by the base (first operand) and 
the bit offset (second operand) into the CF flag and then stores in the bit. 

Flags Affected 

The CF flag contains the value of the selected bit 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 

Notes 

The index of the selected bit can be given by the immediate constant in the instruction 
or by a value in a general register. Only an 8-bit immediate value is used in the instruc- 
tion. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This 
allows any bit within a register to be selected. For memory bit strings, this immediate 
field gives only the bit offset within a word or doubleword. Immediate bit offsets larger 
than 31 (or 15) are supported by using the immediate bit offset field in combination with 
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the displacement field of the memory operand. The low-order 3 to 5 bits of the imme- 
diate bit offset are stored in the immediate bit offset field, and the high-order 27 to 29 
bits are shifted and combined with the byte displacement in the addressing mode. 

When accessing a bit in memory, the 386 DX microprocessor may access four bytes 
starting from the memory address given by: 

Effective Address + 4 * (BitOffset DIV 32) 

for a 32-bit operand size, or two bytes starting from the memory address given by: 

Effective Address + 2 * (BitOffset DIV 16) 

for a 16-bit operand size. It may do so even when only a single byte needs to be accessed 
in order to reach the given bit. You must therefore avoid referencing areas of memory 
close to address space holes. In particular, avoid references to memory-mapped I/O 
registers. Instead, use the MOV instructions to load from or store to these addresses, 
and use the register form of these instructions to manipulate the data. 
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BTS -Bit Test and Set 



Opcode 

OF AB 
OF AB 
OF BA /5 ib 
OF BA /5 ib 


instruction 

BTS r/m16,r16 
BTS r/m32,r32 
BTS r/m16,imm8 
BTS r/m32,imm8 


Cloclcs 

6/13 
6/13 
6/8 
6/8 


Description 

Save bit in carry flag and set 
Save bit in carry flag and set 
Save bit in carry flag and set 
Save bit in carry flag and set 



Operation 

CF ^ BIT[LeftSRC, RightSRC]; 
BIT[LeftSRC. RightSRC] ^ 1 ; 

Description 

The BTS instruction saves the value of the bit indicated by the base (first operand) and 
the bit offset (second operand) into the CF flag and then stores 1 in the bit. 

Flags Affected 

The CF flag contains the value of the selected bit 

Protected IVIode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #FF(fault-code) for a page fault 

Notes 

The index of the selected bit can be given by the immediate constant in the instruction 
or by a value in a general register. Only an 8-bit immediate value is used in the instruc- 
tion. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This 
allows any bit within a register to be selected. For memory bit strings, this immediate 
field gives only the bit offset within a word or doubleword. Immediate bit offsets larger 
than 31 are supported by using the immediate bit offset field in combination with the 

17-38 



intel' 



386™ DX MICROPROCESSOR INSTRUCTION SET 



displacement field of the memory operand. The low-order 3 to 5 bits of the immediate 
bit offset are stored in the immediate bit offset field, and the high order 27 to 29 bits are 
shifted and combined with the byte displacement in the addressing mode. 

When accessing a bit in memory, the 386 DX microprocessor may access four bytes 
starting from the memory address given by: 

Effective Address + (4 * (BitOffset DIV 32)) 

for a 32-bit operand size, or two bytes starting from the memory address given by: 

Effective Address + (2 * (BitOffset DIV 16)) 

for a 16-bit operand size. It may do this even when only a single byte needs to be 
accessed in order to get at the given bit. You must therefore be careful to avoid refer- 
encing areas of memory close to address space holes. In particular, avoid references to 
memory-mapped I/O registers. Instead, use the MOV instructions to load from or store 
to these addresses, and use the register form of these instructions to manipulate the 
data. 
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CALL -Call Procedure 



Opcode 


Instruction 


Clocks 


Description 


E8 c\N 


CALL re/76 


7 + m 


Call near, displacement relative to next instruction 


FF /2 


CALL r/m76 


7 + m/l + AT? 


Call near, register indirect/memory indirect 


9A c6 


CALL pXr16-Ae 


17 + /77,pm=34 + m 


Call intersegment, to full pointer given 


9A c6 


CALL ptr1 6: 16 


pm = 52 + /T7 


Call gate, same privilege 


9A cd 


CALL ptr16:16 


pnn = 86 + AT7 


Call gate, more privilege, no parameters 


9A c6 


CALL ptr16:16 


pm = 94 + 4x+A77 


Call gate, more privilege, x parameters 


9A c6 


CALL ptr1 6: 16 


ts 


Call to task 


FF /3 


CALL m16:16 


22 + m,pm = 38 + /77 


Call intersegment, address at r/m dword 


FF /3 


CALL ATI 7 6; 7 6 


pm = 56 + m 


Call gate, same privilege 


FF /3 


CALL m16:16 


pm = 90 + m 


Call gate, more privilege, no parameters 


FF /3 


CALL m16:16 


pm = 98 + 4x-/-m 


Call gate, more privilege, x parameters 


FF /3 


CALL m7a-76 


5 + ts 


Call to task 


E8 cd 


CALL rel32 


7 + m 


Call near, displacement relative to next instruction 


FF /2 


CALL r/irr732 


7 + Ar7/10 + m 


Call near, indirect 


9A cp 


CALL pfr76;32 


17 + m,pm=34 + A77 


Call intersegment, to full pointer given 


9A cp 


CALL ptr16:32 


pm = 52 + m 


Call gate, same privilege 


9A cp 


CALL pfr76;32 


pnn = 86 + m 


Call gate, more privilege, no parameters 


9A cp 


CALL ptr32:32 


pm = 94 + 4x -fm 


Call gate, more privilege, x parameters 


9A cp 


CALL pfr76;32 


ts 


Call to task 


FF /3 


CALL m76;32 


22 + m,pm= 38 + /T7 


Call intersegment, address at r/m dword 


FF/3 


CALL ml 6:32 


pnn = 56 + m 


Call gate, same privilege 


FF/3 


CALL m76;32 


pm = 90 + /r7 


Call gate, more privilege, no parameters 


FF /3 


CALL m 16:32 


pm = 98 + 4x+m 


Call gate, more privilege, x parameters 


FF /3 


CALL m76;32 


5 + ts 


Call to task 



NOTE: Values of ts are given by the following table: 



Old Task 


New Task 


386™ DX TSS 
VM = 


386 DX TSS 
VM = 1 


80286 TSS 


Via Task Gate? 


N 


Y 


N 


Y 


N 


Y 


^11 DX VM = 


392 


401 


309 


321 


285 


294 


80286 
TSS 


310 


316 


229 


238 


285 


294 



Operation 

IF re/76 or rel32 type of call 
THEN (* near relative call *) 
IF OperandSize = 16 
THEN 
Push(IP); 

EIP ^ (EIP + rel16j AND OOOOFFFFH; 
ELSE (* OperandSize = 32 *) 
Push(EIP); 
EIP ^ EIP + rel32\ 
Fl; 
Fl; 
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IF r/m16 or r/m32 type of call 
THEN (* near absolute call *) 
IF OperandSize = 16 
THEN 
Push(IP); 

EIP ^ [r/m16\ AND OOOOFFFFH; 
ELSE (* OperandSize = 32 *) 
Push(EIP); 
EIP ^ [r/m32\', 
Fl; 
Fl; 

IF (PE = OR (PE = 1 AND VM = 1)) 
(* real mode or virtual 8086 mode *) 
AND instruction = far CALL 

(* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32*) 
THEN 
IF OperandSize = 16 
THEN 
Push(CS); 

Push(IP); (* address of next instruction; 16 bits *) 
ELSE 
Push(CS); (* padded with 16 high-order bits *) 
Push(EIP); (* address of next instruction; 32 bits *) 
Fl; 

IF operand type is m16:16 or m16:32 
THEN (* indirect far call *) 
IF OperandSize = 16 
THEN 
CS:\P ^[m1 6: 16\; 

EIP ^ EIP AND OOOOFFFFH; (* clear upper 16 bits *) 
ELSE (* OperandSize = 32 *) 

CS:EIP 4- [m16:32\; 
Fl; 
Fl; 

IF operand type is ptr16:16 or ptr16:32 
THEN (* direct far call *) 
IF OperandSize = 16 
THEN 
CS:\P^ ptn 6:1 e, 

EIP ^ EIP AND OOOOFFFFH; (* clear upper 16 bits *) 
ELSE (* OperandSize = 32 *) 

CS:E\P ^ ptr1 6:32; 
Fl; 
Fl; 
Fl; 

IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *) 

AND instruction = far CALL 
THEN 
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If indirect, then check access of EA doubleword; 

#GP(0) if limit violation; 
New CS selector must not be null else #GP(0); 
Check that new CS selector index is within its 

descriptor table limits; else #GP(new CS selector); 
Examine AR byte of selected descriptor for various legal values; 

depending on value: 

go to CONFORMING-CODE-SEGMENT; 

go to NONCONFORMING-CODE-SEGMENT; 

go to CALL-GATE; 

go to TASK-GATE; 

go to TASK-STATE-SEGMENT; 
ELSE #GP(code segment selector); 
Fl; 

CONFORMING-CODE-SEGMENT: 
DPL must be < CPL ELSE #GP(code segment selector); 
Segment must be present ELSE #NP(code segment selector); 
Stack must be big enough for return address ELSE #SS(0); 
Instruction pointer must be in code segment limit ELSE #GP(0); 
Load code segment descriptor into CS register; 
Load CS with new code segment selector; 
Load EIP with zero-extend (new offset); 
IF OperandSize = 16 THEN EIP ^ EIP AND OOOOFFFFH; Fl; 

NONCONFORMING-CODE-SEGMENT: 
RPL must be < CPL ELSE #GP(code segment selector) 
DPL must be = CPL ELSE #GP(code segment selector) 
Segment must be present ELSE #NP(code segment selector) 
Stack must be big enough for return address ELSE #SS(0) 
Instruction pointer must be in code segment limit ELSE #GP(0) 
Load code segment descriptor into CS register 
Load CS with new code segment selector 
Set RPL of CS to CPL 
Load EIP with zero-extend (new offset); 
IF OperandSize = 16 THEN EIP <- EIP AND OOOOFFFFH; Fl; 

CALL-GATE: 
Call gate DPL must be > CPL ELSE #GP(call gate selector) 
Call gate DPL must be > RPL ELSE #GP(call gate selector) 
Call gate must be present ELSE #NP(call gate selector) 
Examine code segment selector in call gate descriptor: 
Selector must not be null ELSE #GP(0) 
Selector must be within its descriptor table 
limits ELSE #GP(code segment selector) 
AR byte of selected descriptor must indicate code 

segment ELSE #GP(code segment selector) 
DPL of selected descriptor must be < CPL ELSE 
#GP(code segment selector) 



17-42 



intel' 



386™ DX MICROPROCESSOR INSTRUCTION SET 



IF non-conforming code segment AND DPL < GPL 
THEN go to MORE-PRIVILEGE 
ELSE go to SAME-PRIVILEGE 
Fl; 

MORE-PRIVILEGE: r 

Get new SS selector for new privilege level from TSS 
Check selector and descriptor for iiew SS: 
Selector must not be null ELSE #TS(0) 
Selector index must be within its descriptor 

table limits ELSE #TS(SS selector) 
Selector's RPL must equal DPL of code segment 

ELSE #TS(SS selector) 
Stack segment DPL must equal DPL of code 

segment ELSE #TS(SS selector) 
Descriptor must indicate writable data segment 

ELSE #TS(SS selector) 
Segment present ELSE #SS(SS selector) 
IF OperandSize = 32 
THEN 
New stack must have room for parameters plus 16 bytes 

ELSE #SS(SS selector) 
EIP must be in code segment limit ELSE #GP(0) 
Load new SS:eSP value from TSS 
Load new CS:EIP value from gate 
ELSE 
New stack must have room for parameters plus 8 bytes 

ELSE #SS(SS selector) 

IP must be in code segment limit ELSE #GP(0) 

Load new SS:eSP value from TSS 

Load new CS:IP value from gate 
Fl; 

Load CS descriptor 
Load SS descriptor 

Push long pointer of old stack onto new stack 
Get word count from call gate, mask to 5 bits 
Copy parameters from old stack onto new stack 
Push return address onto new stack 
Set CPL to stack segment DPL 
Set RPL of CS to CPL 

SAME-PRIVILEGE: 
IF OperandSlze = 32 
THEN 
Stack must have room for 6-byte return address (padded to 8 bytes) 

ELSE#SS(0) 
EIP must be within code segment limit ELSE #GP(0) 
Load CS:EIPfrom gate 
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ELSE 

Stack must have room for 4-byte return address ELSE #SS(0) 

IP must be within code segment limit ELSE #GP(0) 

Load OS: IP from gate 
Fl; 

Push return address onto stack 
Load code segment descriptor into CS register 
Set RPL of CS to GPL 

TASK-GATE: 
Task gate DPL must be > GPL ELSE #TS(gate selector) 
Task gate DPL must be > RPL ELSE #TS(gate selector) 
Task Gate must be present ELSE #NP(gate selector) 
Examine selector to TSS, given in Task Gate descriptor: 

Must specify global in the local/global bit ELSE #TS (TSS selector) 

Index must be within GDT limits ELSE #TS(TSS selector) 

TSS descriptor AR byte must specify nonbusy TSS 
ELSE #TS(TSS selector) 

Task State Segment must be present ELSE #NP(TSS selector) 
SWITCH-TASKS (with nesting) to TSS 
IP must be in code segment limit ELSE #TS(0) 

TASK-STATE-SEGMENT: 
TSS DPL must be > CPL else #TS(TSS selector) 
TSS DPL must be > RPL ELSE #TS(TSS selector) 
TSS descriptor AR byte must specify available TSS 

ELSE #GP(TSS selector) 
Task State Segment must be present ELSE #NP(TSS selector) 
SWITCH-TASKS (with nesting) to TSS 
IP must be in code segment limit ELSE #TS(0) 

Description 

The CALL instruction causes the procedure named in the operand to be executed. 
When the procedure is complete (a return instruction is executed within the procedure), 
execution continues at the instruction that follows the CALL instruction. 

The action of the different forms of the instruction are described below. 

Near calls are those with destinations of type r/m16, r/m32, rel16, rel32; changing or saving 
the segment register value is not necessary. The CALL rel16 and CALL re/32 forms add 
a signed offset to the address of the instruction following the CALL instruction to de- 
termine the destination. The rel16 form is used when the instruction's operand-size at- 
tribute is 16 bits; rel32 is used when the operand-size attribute is 32 bits. The result is 
stored in the 32-bit EIP register. With re/76, the upper 16 bits of the EIP register are 
cleared, resulting in an offset whose value does not exceed 16 bits. CALL r/m 16 and 
CALL r/m32 specify a register or memory location from which the absolute segment 
offset is fetched. The offset fetched from r/m is 32 bits for an operand-size attribute of 32 
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(r/m32), or 16 bits for an operand-size of 16 (r/m16). The offset of the instruction follow- 
ing the CALL instruction is pushed onto the stack. It will be popped by a near RET 
instruction within the procedure. The CS register is not changed by this form of CALL. 

The far calls, CALL ptr16:16 and CALL ptr16:32, use a four-byte or six-byte operand as 
a long pointer to the procedure called. The CALL m16:16 and m16:32 forms fetch the 
long pointer from the memory location specified (indirection). In Real Address Mode or 
Virtual 8086 Mode, the long pointer provides 16 bits for the CS register and 16 or 32 bits 
for the EIP register (depending on the operand-size attribute). These forms of the in- 
struction push both the CS and IP or EIP registers as a return address. 

In Protected Mode, both long pointer forms consult the AR byte in the descriptor in- 
dexed by the selector part of the long pointer. Depending on the value of the AR byte, 
the call will perform one of the following types of control transfers: 

• A far call to the same protection level 

• An inter-protection level far call 
© A task switch 

For more information on Protected Mode control transfers, refer to Chapter 6 and 
Chapter 7. 

Flags Affected 

All flags are affected if a task switch occurs; no flags are affected if a task switch does 
not occur 

Protected Mode Exceptions 

For far calls: #GP, #NP, #SS, and #TS, as indicated in the "Operation" section 

For near direct calls: #GP(0) if procedure location is beyond the code segment limits; 
#SS(0) if pushing the return address exceeds the bounds of the stack segment; #PF 
(fault-code) for a page fault 

For a near indirect call: #GP(0) for an illegal memory operand effective address in the 
CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; 
#GP(0) if the indirect offset obtained is beyond the code segment limits; #PF(fault- 
code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 
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Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 

Notes 

Any far call from a 32-bit code segment to a 16-bit code segment should be made from 
the first 64K bytes of the 32-bit code segment, because the operand-size attribute of the 
instruction is set to 16, allowing only a 16-bit return address offset to be saved. 
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CBW/CWDE- Convert Byte to Word/Convert Word to 
Doubleword 



Opcode Instruction Clocks Description 

98 CBW 3 AX <- sign-extend of AL 

98 CWDE 3 EAX ^ sign-extend of AX 



Operation 

IF OperandSize = 16 (* instruction = CBW *) 

THEN AX ^ SignExtend(AL); 

ELSE (* OperandSize = 32, instruction = CWDE *) 

EAX ^ SignExtend{AX); 
Fl; 

Description 

The CBW instruction converts the signed byte in the AL register to a signed word in the 
AX register by extending the most significant bit of the AL register (the sign bit) into all 
of the bits of the AH register. The CWDE instruction converts the signed word in the 
AX register to a doubleword in the EAX register by extending the most significant bit of 
the AX register into the two most significant bytes of the EAX register. Note that the 
CWDE instruction is different from the CWD instruction. The CWD instruction uses 
the DX:AX register pair rather than the EAX register as a destination. 

Flags Affected 

None 

Protected Mode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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CLC- 


-Clear Carry Flag 




Opcode 

F8 


Instruction Clocks 

CLC 2 


Description 

Clear carry flag 



Operation 

OF 4-0; 

Description 

The CLC instruction clears the CF flag. It does not affect other flags or registers. 

Flags Affected 

The CF flag is cleared 

Protected Mode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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CLD- Clear Direction Flag 



Opcode Instruction 

FC CLD 



Clocks 

2 



Description 

Clear direction flag; SI and Dl will increment dur- 
ing string instructions 



Operation 

DF <- 0; 

Description 

The CLD instruction clears the direction flag. No other flags or registers are affected. 
After a CLD instruction is executed, string operations will increment the index registers 
(SI and/or DI) that they use. 

Flags Affected 

The DF flag is cleared 

Protected l\/lode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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CLI — Clear Interrupt Flag 



opcode Instruction Clocks Description 

FA CLI 8 Clear interrupt flag; interrupts disabled 



Operation 

IF<-0; 

Description 

The CLI instruction clears the IF flag if the current privilege level is at least as privileged 
as lOPL. No other flags are affected. External interrupts are not recognized at the end 
of the CLI instruction or from that point on until the IF flag is set. 

Flags Affected 

The IF flag is cleared 

Protected Mode Exceptions 

#GP(0) if the current privilege level is greater (has less privilege) than the I/O privilege 
level in the flags register. The I/O privilege level specifies the least privileged level at 
which I/O can be performed. 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

#GP(0) as for Protected Mode 
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CLTS- 


- Clear Task-Switched Flag in CRO 


Opcode 

OF 06 


Instruction Clocks Description 

CLTS 6 Clear task-switched flag 



Operation 

IS Flag in CRO ^ 0; 

Description 

The CLTS instruction clears the task-switched (TS) flag in the CRO register. This flag is 
set by the 386 processor every time a task switch occurs. The TS flag is used to manage 
processor extensions as follows: 

• Every execution of an ESC instruction is trapped if the TS flag is set. 

• Execution of a WAIT instruction is trapped if the MP flag and the TS flag are both 
set. 

Thus, if a task switch was made after an ESC instruction was begun, the processor 
extension's context may need to be saved before a new ESC instruction can be issued. 
The fault handler saves the context and clears the TS flag. 

The CLTS instruction appears in operating system software, not in application pro- 
grams. It is a privileged instruction that can only be executed at privilege level 0. 

Flags Affected 

The TS flag is cleared (the TS flag is in the CRO register, not the flags register) 

Protected Mode Exceptions 

#GP(0) if the CLTS instruction is executed with a current privilege level other than 

Real Address Mode Exceptions 

None (valid in Real Address Mode to allow initialization for Protected Mode) 

Virtual 8086 Mode Exceptions 

None 
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CMC — Complement Carry Flag 



Opcode Instruction Clocks Description 

F5 CMC 2 Complement carry flag 



Operation 

CF^NOTCF; 

Description 

The CMC instruction reverses the setting of the CF flag. No other flags are affected. 

Flags Affected 

The CF flag contains the complement of its original value 

Protected Mode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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CMP — Compare Two Operands 



Opcode 


Instruction 


Clocks 


Description 


3C ib 


CMP ALJmmd 


2 


Compare immediate byte to AL 


3D iw 


CMP PX,imm1 6 


2 


Compare immediate word to AX 


3D id 


CMP EAK,imm32 


2 


Compare immediate dword to EAX 


80 /7 ib 


CMP r/m8,imm8 


2/5 


Compare immediate byte to r/m byte 


81 /7 iw 


CMP r/m16,imm16 


2/5 


Compare immediate word to r/m word 


81 /7 id 


CMP r/m32,imm32 


2/5 


Compare immediate dword to r/m dword 


83 /7 //3 


CMP r/m16,imm8 


2/5 


Compare sign extended immediate byte to r/m word 


83 /7 //3 


CMP r/m32,imme 


2/5 


Compare sign extended immediate byte to r/m dword 


38 /r 


CMP r/mS,r8 


2/5 


Compare byte register to r/m byte 


39 /r 


CMP r/m16,r16 


2/5 


Compare word register to r/m word 


39 /r 


CMP r/m32,r32 


2/5 


Compare dword register to r/m dword 


3A/r 


CMP rS,r/mS 


2/6 


Compare r/m byte to byte register 


3B /r 


CMP r16,r/m16 


2/6 


Compare r/m word to word register 


3B Ir 


CMP r32,r/m32 


2/6 


Compare r/m dword to dword register 



Operation 

LeftSRC - SignExtend(RightSRC); 

(* CMP does not store a result; its purpose is to set the flags *) 

Description 

The CMP instruction subtracts the second operand from the first but, unhke the SUB 
instruction, does not store the result; only the flags are changed. The CMP instruction is 
typically used in conjunction with conditional jumps and the SETcc instruction. (Refer to 
Appendix D for the Hst of signed and unsigned flag tests provided.) If an operand 
greater than one byte is compared to an immediate byte, the byte value is first 
sign-extended. 

Flags Affected 

The OF, SF, ZF, AF, PF, and CF flags are set according to the result 

Protected Mode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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CMPS/CMPSB/CMPSW/CMPSD- Compare String Operands 



Opcode 


Instruction 


Clocks 


Description 


A6 


CMPS m8,m8 


10 


Compare bytes ES:[(E)DI] (second operand) with [(E)SI] (first operand) 


A7 


CMPS m16,m16 


10 


Compare words ES:[(E)DI] (second operand) witli [(E)SI] (first operand) 


A7 


CMPS m32,m32 


10 


Compare dwords ES:[(E)DI] (second operand) witli [(E)SI] (first operand) 


A6 


CMPSB 


10 


Compare bytes ES:[(E)DI] witli DS:[SI] 


A7 


CMPSW 


10 


Compare words ES:[(E)DI] with DS:[SI] 


A7 


CMPSD 


10 


Compare dwords ES:[(E)DI] with DS:[SI] 



Operation 

IF (instruction = CIVIPSD) OR 

(instruction has operands of type DWORD) 
THEN OperandSizeV- 32; 
ELSE OperandSize <- 16; 
Fl; 

IF AddressSize = 16 
THEN 

use SI for source-index and Dl for destination-index 
ELSE (* AddressSize = 32 *) 

use ESI for source-index and EDI for destination-index; 
Fl; 

IF byte type of instruction 
THEN 

[source-index] - [destination-index]; (* byte comparison *) 

IF DF = THEN IncDec ^ 1 ELSE IncDec ^ - 1 ; Fl; 
ELSE 

IF OperandSize = 16 

THEN 

[source-index] - [destination-index]; (* word comparison *) 
IF DF = THEN IncDec ^ 2 ELSE IncDec <- -2; Fl; 

ELSE (* OperandSize = 32 *) 
[source-index] - [destination-index]; (* dword comparison *) 
IF DF = THEN IncDec ^ 4 ELSE IncDec ^ -4; Fl; 

Fl; 
Fl; 

source-index = source-index + IncDec; 
destination-index = destination-index + IncDec; 

Description 

The CMPS instruction compares tlie byte, word, or doubleword pointed to by the 
source-index register with the byte, word, or doubleword pointed to by the destination- 
index register. 

If the address-size attribute of this instruction is 16 bits, the SI and DI registers will be 
used for source- and destination-index registers; otherwise the ESI and EDI registers 
will be used. Load the correct index values into the SI and DI (or ESI and EDI) registers 
before executing the CMPS instruction. 
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The comparison is done by subtracting the operand indexed by the destination-index 
register from the operand indexed by the source-index register. 

Note that the direction of subtraction for the CMPS instruction is [SI] - [DI] or [ESI] 
- [EDI]. The left operand (SI or ESI) is the source and the right operand (DI or EDI) 
is the destination. This is the reverse of the usual Intel® convention in which the left 
operand is the destination and the right operand is the source. 

The result of the subtraction is not stored; only the flags reflect the change. The types of 
the operands determine whether bytes, words, or doublewords are compared. For the 
first operand (SI or ESI), the DS register is used, unless a segment override byte is 
present. The second operand (DI or EDI) must be addressable from the ES register; no 
segment override is possible. 

After the comparison is made, both the source-index register and destination-index reg- 
ister are automatically advanced. If the DF flag is (a CLD instruction was executed), 
the registers increment; if the DF flag is 1 (an STD instruction was executed), the 
registers decrement. The registers increment or decrement by 1 if a byte is compared, by 
2 if a word is compared, or by 4 if a doubleword is compared. 

The CMPSB, CMPSW and CMPSD instructions are synonyms for the byte, word, and 
doubleword CMPS instructions, respectively. 

The CMPS instruction can be preceded by the REPE or REPNE prefix for block com- 
parison of CX or ECX bytes, words, or doublewords. Refer to the description of the 
REP instruction for more information on this operation. 

Flags Affected 

The OF, SF, ZF, AF, PF, and CF flags are set according to the result 

Protected Mode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would He outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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CWD/CDQ — Convert Word to Doubleword/Convert Doubleword 
to Quadword 



Opcode 


Instruction 


C 


99 


CWD 


2 


99 


CDQ 


2 



Clocks Description 



DX:AX "^ sign-extend of AX 
EDX:EAX ^ sign-extend of EAX 



Operation 

IF OperandSize = 16 (* CWD instruction *) 
THEN 

IF AX < THEN DX ^ OFFFFH; ELSE DX ^ 0; Fl; 
ELSE (* OperandSize = 32, CDQ instruction *) 

IF EAX < THEN EDX ^ OFFFFFFFFH; ELSE EDX ^0; Fl; 
Fl; 

Description 

The CWD instruction converts the signed word in the AX register to a signed double- 
word in the DX: AX register pair by extending the most significant bit of the AX register 
into all the bits of the DX register. The CDQ instruction converts the signed doubleword 
in the EAX register to a signed 64-bit integer in the register pair EDXiEAX by extend- 
ing the most significant bit of the EAX register (the sign bit) into all the bits of the EDX 
register. Note that the CWD instruction is different from the CWDE instruction. The 
CWDE instruction uses the EAX register as a destination, instead of the DX: AX regis- 
ter pair. 

Flags Affected 

None 

Protected iViode Exceptions 

None 

Real Address IVIode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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DAA~ Decimal Adjust AL after Addition 



Opcode Instruction Clocks Description 

27 DAA 4 Decimal adjust AL after addition 



Operation 

IF ((AL AND OFH) > 9) OR (AF = 1) 
THEN 

AL ^ AL + 6; 

AF ^ 1 ; 
ELSE 

AF ^ 0; 
Fl; 

IF (AL > 9FH) OR (OF = 1) 
THEN 

AL ^ AL + 60H; 

CF<-1; 
ELSE OF ^ 0; 
Fl; 

Description 

Execute the DAA instruction only after executing an ADD instruction that leaves a 
two-BCD-digit byte result in the AL register. The ADD operands should consist of two 
packed BCD digits. The DAA instruction adjusts the AL register to contain the correct 
two-digit packed decimal result. 

Flags Affected 

The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal 
carry; the SF, ZF, PF, and CF flags are set according to the result. 

Protected IVIode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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DAS — Decimal Adjust AL after Subtraction 



Opcode Instruction Clocks Description 

2F DAS 4 Decimal adjust AL after subtraction 



Operation 

IF (AL AND OFH) > 9 OR AF = 1 
THEN 

AL ^ AL - 6; 

AF^ 1; 
ELSE 

AF^O; 
Fl; 

IF (AL > 9FH) OR (CF = 1) 
THEN 

AL <- AL - 60H; 

CF<-1; 
ELSECF<-0; 
Fl; 

Description 

Execute the DAS instruction only after a subtraction instruction that leaves a two-BCD- 
digit byte result in the AL register. The operands should consist of two packed BCD 
digits. The DAS instruction adjusts the AL register to contain the correct packed two- 
digit decimal result. 

Flags Affected 

The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal 
carry; the SF, ZF, and PF flags are set according to the result. 

Protected Mode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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DEC — Decrement by 1 



opcode 

FE/1 
FF /I 

48 + rw 
48 + rw 


Instruction 

DEC r/m8 
DEC r/m 16 
DEC r/m32 
DECr16 
DEC r32 


Clocks 

2/6 

2/6 

2/6 

2 

2 


Description 

Decrement r/m byte by 1 
Decrement r/m word by 1 
Decrement r/m dword by 1 
Decrement word register by 1 
Decrement dword register by 1 



Operation 

DEST^DEST - 1; 

Description 

The DEC instruction subtracts 1 from the operand. The DEC instruction does not 
change the CF flag. To affect the CF flag, use the SUB instruction with an immediate 
operand of 1. 

Flags Affected 

The OF, SF, ZF, AF, and PF flags are set according to the result. 

Protected Mode Exceptions 

#GP(0) if the result is a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or OS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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DIV — Unsigned Divide 



opcode Instruction Clocks Description 

F6 /6 DN AL,r/m8 14/17 Unsigned divide AX by r/m byte (AL = Quo, AH = Rem) 

F7 /6 DiV fiX,r/m16 22/25 Unsigned divide DX:AX by r/m word (AX = Quo, DX = Rem) 

F7 /6 DIV EAX,r/m32 38/41 Unsigned divide EDX:EAX by r/m dword (EAX = Quo, EDX = Rem) 



Operation 

temp ^ dividend / divisor; 
IF temp does not fit in quotient 
THEN Interrupt 0; 
ELSE 

quotient ^ temp; 

remainder ^ dividend MOD (r/m); 
Fl; 

Note: Divisions are unsigned. The divisor is given by the r/m operand. The dividend, 
quotient, and remainder use impUcit registers. Refer to the table under "Description." 



Description 

The DIV instruction performs an unsigned division. The dividend is impHcit; only the 
divisor is given as an operand. The remainder is alvv^ays less than the divisor. The type of 
the divisor determines which registers to use as follows: 



Size 


Dividend 


Divisor 


Quotient 


Remainder 


byte 
word 
dword 


AX 

DX:AX 

EDX:EAX 


r/m8 

r/m16 

r/m32 


AL 
AX 
EAX 


AH 
DX 
EDX 



Flags Affected 



The OF, SF, ZF, AF, PF, CF flags are undefined. 



Protected IVIode Exceptions 

Interrupt if the quotient is too large to fit in the designated register (AL, AX, or 
EAX), or if the divisor is 0; #GP(0) for an illegal memory operand effective address in 
the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; 
#PF(fault-code) for a page fault 
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Real Address Mode Exceptions 

Interrupt if the quotient is too big to fit in the designated register (AL, AX, or EAX), 
or if the divisor is 0; Interrupt 13 if any part of the operand would He outside of the 
effective address space from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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ENTER — Make Stack Frame for Procedure Parameters 



Opcode Instruction 

C8/W00 ENTER /mm y 6,0 

C8/IV01 ENTER imm16,^ 

C8/ivib ENTER /mm 76, /mm8 



Clocks 

10 
12 
15 + 4(r?-1) 



Description 

Make procedure stack frame 

Make stack frame for procedure parameters 

Make stack frame for procedure parameters 



Operation 

level <- level MOD 32 

IF OperandSize = 16 THEN Push(BP) ELSE Push (EBP) Fl; 

(* Save stack pointer *) 
frame-ptr ^ eSP 
IF level > 

THEN (* level is rightmost parameter *) 
FOR I ^ 1 TO level - 1 
DO 
IF OperandSize = 16 
THEN 

BP <- BP - 2; 
Push[BP] 
ELSE (* OperandSize = 32 *) 
EBP ^ EBP - 4; 
Push[EBP]; 
Fl; 
OD; 

Push (frame-ptr) 
Fl; 

IF OperandSize = 16 THEN BP ^ frame-ptr ELSE EBP ^ frame-ptr; Fl; 
IF StackAddrSize = 16 
THEN SP ^ SP - First operand; 
ELSE ESP ^ ESP - ZeroExtend (First operand); 
Fl; 

Description 

The ENTER instruction creates the stack frame required by most block-structured high- 
level languages. The first operand specifies the number of bytes of dynamic storage 
allocated on the stack for the routine being entered. The second operand gives the 
lexical nesting level (0 to 31) of the routine within the high-level language source code. It 
determines the number of stack frame pointers copied into the new stack frame from the 
preceding frame. The BP register (or EBP, if the operand-size attribute is 32 bits) is the 
current stack frame pointer. 

If the operand-size attribute is 16 bits, the 386 DX microprocessor uses the BP register 
as the frame pointer and the SP register as the stack pointer. If the operand-size at- 
tribute is 32 bits, the processor uses the EBP register for the frame pointer and the ESP 
register for the stack pointer. 
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If the second operand is 0, the ENTER instruction pushes the frame pointer (BP or EBP 
register) onto the stack; the ENTER instruction then subtracts the first operand from 
the stack pointer and sets the frame pointer to the current stack-pointer value. 

For example, a procedure with 12 bytes of local variables would have an ENTER 12,0 
instruction at its entry point and a LEAVE instruction before every RET instruction. 
The 12 local bytes would be addressed as negative offsets from the frame pointer. 

Flags Affected 

None 

Protected Mode Exceptions 

#SS(0) if the SP or ESP value would exceed the stack limit at any point during instruc- 
tion execution; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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HLT- 


-Halt 








Opcode 

F4 


Instruction 

HLT 


Clocks 

5 


Description 

Halt 



Operation 

Enter Halt state; 

Description 

The HLT instruction stops instruction execution and places the 386 processor in a 
HALT state. An enabled interrupt, NMI, or a reset will resume execution. If an inter- 
rupt (including NMI) is used to resume execution after an HLT instruction, the saved 
CS:IP (or CS:EIP) value points to the instruction following the HLT instruction. 

Flags Affected 

None 

Protected Mode Exceptions 

The HLT instruction is a privileged instruction; #GP(0) if the current privilege level is 
not 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

#GP(0); the HLT instruction is a privileged instruction 
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I DIV- Signed Divide 



Opcode Instruction 

F6 17 IDIV r/m8 

F7 /7 IDIVAX,r//77)6 

F7 17 IDIV EAX,r/m32 



Clocks Description 

19 Signed divide AX by r/m byte (AL=Quo, AH = Rem) 

27 Signed divide DX:AX by EA word (AX = Quo, DX = Rem) 

43 Signed divide EDX:EAX by DWORD byte (EAX^Quo, EDX^Rem) 



Operation 

temp <- dividend / divisor; 
IF temp does not fit in quotient 
THEN Interrupt 0; 
ELSE 

quotient ^ temp; 

remainder ^ dividend MOD (r/m)\ 
Fl; 

Notes: Divisions are signed. The divisor is given by the r/m operand. The dividend, 
quotient, and remainder use impHcit registers. Refer to the table under "Description." 

Description 

The IDIV instruction performs a signed division. The dividend, quotient, and remainder 
are implicitly allocated to fixed registers. Only the divisor is given as an explicit r/m 
operand. The type of the divisor determines which registers to use as follows: 



Size 


Divisor 


Quotient 


Remainder 


Dividend 


byte 
word 
dword 


r/m8 

r/m16 

r/m32 


AL 
AX 
EAX 


AH 
DX 
EDX 


AX 

DX:AX 
EDX: EAX 



If the resulting quotient is too large to fit in the destination, or if the division is 0, an 
Interrupt is generated. Nonintegral quotients are truncated toward 0. The remainder 
has the same sign as the dividend and the absolute value of the remainder is always less 
than the absolute value of the divisor. 

Flags Affected 

The OF, SF, ZF, AF, PF, CF flags are undefined. 

Protected IVIode Exceptions 

Interrupt if the quotient is too large to fit in the designated register (AL or AX), or if 
the divisor is 0; #GP (0) for an illegal memory operand effective address in the CS, DS, 
ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault- 
code) for a page fault 
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Real Address Mode Exceptions 

Interrupt if the quotient is too large to fit in the designated register (AL or AX), or if 
the divisor is 0; Interrupt 13 if any part of the operand would lie outside of the effective 
address space from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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IMUL-Signed Multiply 



Opcode 


Instruction 


Clocks 


F6 /5 
F7 /5 
F7 15 
OF AF Ir 
OF AF Ir 
6B Ir ib 


IMUL r/m8 
IMUL r/m16 
IMUL r//7752 
IMUL r16.r/m16 
IMUL r32,r/m32 
IMUL r16,r/m16,imm8 


9-14/12-17 
9-22/12-25 
9-38/12-41 
9-22/12-25 
9-38/12-41 
9-14/12-17 


6B Ir ib 


IMUL r32,r/m32,imm8 


9-14/12-17 


68 Ir ib 


IMUL r16,imm8 


9-14/12-17 


68 Irib 


IMUL r32,imm8 


9-14/12-17 


69 Ir iw 
69 Irid 
69 /r /w 
69 Irid 


m\JLr16,r/m16,imm16 
IMUL r32,r/m32,imm32 
MULr16,imm16 
IMUL r32,imm32 


9-22/12-25 
9-38/12-41 
9-22/12-25 
9-38/12-41 



Description 

AX^ AL * r/m byte 
DX:AX ^ AX * r/m word 
EDX:EAX ^ EAX * r/m dword 
word register <- word register * r/m word 
dword register ^ dword register * r/m dword 
word register ^ r/m16 * sign-extended immediate 
byte 

dword register ^ r/m32 * sign-extended immediate 
byte 

word register ^ word register * sign-extended imme- 
diate byte 

dword register ^ dword register * sign-extended im- 
mediate byte 

word register -^ r/m16* immediate word 
dword register ^ r/m32 * immediate dword 
word register ^ r/m16 * immediate word 
dword register ^ r/m32 * immediate dword 



NOTES: The 386 DX microprocessor uses an early-out multiply algorithm. The actual number of clocks depends on the 
position of the most significant bit in the optimizing multiplier. The optimization occurs for positive and negative 
values. Because of the early-out algorithm, clocl< counts given are minimum to maximum. To calculate the actual 
clocks, use the following formula: 

Actual clock = if m < > then max(ceiling(log2 | m | ), 3) + 6 clocks 
Actual clock = if m = then 9 clocks 
(where m is the multiplier) 

Add three clocks if the multiplier is a memory operand. 

Operation 

result ^ multiplicand * multiplier; 



Description 

The IMUL instruction performs signed multiplication. Some forms of the instruction use 
implicit register operands. The operand combinations for all forms of the instruction are 
shown in the "Description" column above. 

The IMUL instruction clears the OF and CF flags under the following conditions: 



Instruction Form 


Condition for Clearing CF and OF 


r/m8 


AL = sign-extend of AL to 16 bits 


r/m16 


AX = sign-extend of AX to 32 bits 


r/m32 


EDX:EAX = sign-extend of EAX to 32 bits 


r16,r/m16 


Result exactly fits within r16 


r/32,r/m32 


Result exactly fits within r32 


r16,r/m16,innm16 


Result exactly fits within r16 


r32,r/m32,imm32 


Result exactly fits within r32 
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Flags Affected 

The OF and CF flags as described in the table in the "Description" section above; the 
SF, ZF, AF, and PF flags are undefined 

Protected Mode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exeptions as in Real Address Mode; #PF(fault-code) for a page fault 

Notes 

When using the accumulator forms (IMUL r/m8, IMUL r/m16, or IMUL r/m32), the 
result of the multiplication is available even if the overflow flag is set because the result 
is twice the size of the multiplicand and multiplier. This is large enough to handle any 
possible result. 
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IN — Input from Port 



opcode 


Instruction 


Clocks 


Description 


E4 ib 


IN AL,imm8 


12,pm = 6*/26** 


Input byte from immediate port into AL 


E5 ib 


IN fiXJmmB 


12,pm = 6*/26** 


Input word from immediate port into AX 


E5 ib 


IN EPX,imm8 


14,pm = 6*/26** 


Input dword from immediate port into EAX 


EC 


IN AL.DX 


13,pm = 7*/27** 


Input byte from port DX into AL 


ED 


IN AX.DX 


13,pm = 7*/27** 


Input word from port DX into AX 


ED 


IN EAX.DX 


13,pm = 7*/27** 


Input dword from port DX into EAX 



NOTES: *lf CPL < lOPL 

**lf CPL > lOPL or if in virtual 8086 mode 

Operation 

IF (PE = 1) AND ((VM = 1) OR (GPL > lOPL)) 

THEN (* Virtual 8086 mode, or protected mode with CPL > lOPL *) 

IF NOT l-0-Permission (SRC, width(SRC)) 

THEN#GP(0); 

Fl; 
Fl; 
DEST ^ [SRC]; (* Reads from I/O address space *) 

Description 

The IN instruction transfers a data byte or data word from the port numbered by the 
second operand into the register (AL, AX, or EAX) specified by the first operand. 
Access any port from to 65535 by placing the port number in the DX register and using 
an IN instruction with the DX instruction as the second parameter. These I/O instruc- 
tions can be shortened by using an 8-bit port I/O in the instruction. The upper eight bits 
of the port address will be when 8-bit port I/O is used. 

Flags Affected 

None 

Protected IVIode Exceptions 

#GP(0) if the current privilege level is larger (has less privilege) than the I/O privilege 
level and any of the corresponding I/O permission bits in TSS equals 1 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

#GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1 
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INC — Increment by 1 



opcode 

FE /O 
FF /O 
FF /6 
40+ /w 
40+ rd 


Instruction 

INC r/m8 
INC r/m16 
INC r/m32 
INC r16 
INC r32 


Clocks 

2/6 

2/6 

2/10 

2 

2 


Description 

Increment r/m byte by 1 
Increment r/m word by 1 
Increment r/m dword by 1 
Increment word register by 1 
Increment dword register by 1 



Operation 

DEST <- DEBT + 1 ; 

Description 

The INC instruction adds 1 to the operand. It does not change the CF flag. To affect the 
CF flag, use the ADD instruction with a second operand of 1. 

Flags Affected 

The OF, SF, ZF, AF, and PF flags are set according to the result 

Protected Mode Exceptions 

#GP(0) if the operand is in a nonwritable segment; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 
address in the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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INS/INSB/INSW/INSD- Input from Port to String 



Opcode 


Instruction 


Clocks 


Description 


6C 


INS r/m8,DX 


15,pm = 9*/29** 


Input byte from port DX into ES:(E)DI 


6D 


INS r/m16,DX 


15,pm = 9*/29** 


Input word from port DX into ES:(E)DI 


6D 


INS r/m32,DX 


15,pm = 9*/29** 


Input dword from port DX into ES:(E)DI 


6C 


INSB 


15,pm = 9*/29** 


Input byte from port DX into ES:(E)DI 


6D 


INSW 


15,pm = 9*/29** 


Input word from port DX into ES:(E)DI 


6D 


INSD 


15,pm = 9*/29** 


Input dword from port DX into ES:(E)DI 



NOTES: *lf CPL < lOPL 

**lf CPL > lOPL or if in virtual 8086 mode 



Operation 

IF AddressSize = 16 
THEN use Dl for dest-index; 
ELSE (* AddressSize = 32 *) 

use EDI for dest-index; 
Fl; 

IF (PE = 1) AND ((VM = 1) OR (CPL > lOPL)) 
THEN (* Virtual 8086 mode, or protected mode with CPL > lOPL *) 

IF NOT l-0-Permission (SRC, widtli(SRC)) 

THEN #GP(0); 

Fl; 
Fl; 

IF byte type of instruction 
THEN 

ES: [dest-index] ^ [DX]; (* Reads byte at DX from I/O address space *) 

IF DF = THEN IncDec ^ 1 ELSE IncDec ^ -1; Fl; 
Fl; 

IF OperandSize = 16 
THEN 

ES: [dest-index] ^ [DX]; (* Reads word at DX from I/O address space *) 

IF DF = THEN IncDec ^ 2 ELSE IncDec ^ -2; Fl; 
Fl; 

IF OperandSize = 32 
THEN 

ES: [dest-index] ^ [DX]; (* Reads dword at DX from I/O address space *) 

IF DF = THEN IncDec <- 4 ELSE IncDec <- -4; Fl; 
Fl; 
dest-index ^ dest-index + IncDec; 



Description 

Tlie INS instruction transfers data from the input port numbered by the DX register to 
the memory byte or word at ES:dest-index. The memory operand must be addressable 
from the ES register; no segment override is possible. The destination register is the DI 
register if the address-size attribute of the instruction is 16 bits, or the EDI register if the 
address-size attribute is 32 bits. 
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The INS instruction does not allow the specification of the port number as an immediate 
value. The port must be addressed through the DX register value. Load the correct value 
into the DX register before executing the INS instruction. 

The destination address is determined by the contents of the destination index register. 
Load the correct index into the destination index register before executing the INS 
instruction. 

After the transfer is made, the DI or EDI register advances automatically. If the DF flag 
is (a CLD instruction was executed), the DI or EDI register increments; if the DF flag 
is 1 (an STD instruction was executed), the DI or EDI register decrements. The DI 
register increments or decrements by 1 if a byte is input, by 2 if a word is input, or by 4 
if a doubleword is input. 

The INSB, INSW and INSD instructions are synonyms of the byte, word, and double- 
word INS instructions. The INS instruction can be preceded by the REP prefix for block 
input of CX bytes or words. Refer to the REP instruction for details of this operation. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) if the current privilege level is numerically greater than the I/O privilege level 
and any of the corresponding I/O permission bits in TSS equals 1; #GP(0) if the desti- 
nation is in a nonwritable segment; #GP(0) for an illegal memory operand effective 
address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS 
segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

#GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1; #PF(fault- 
code) for a page fault 
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INT/INTO — Call to Interrupt Procedure 



Opcode 



Instruction 



cc 




INT 3 


cc 




INT 3 


cc 




INT 3 


cc 




INT 3 


cc 




INT 3 


CD 


ib 


INT imm8 


CD 


ib 


INT imm8 


CD 


ib 


INT immS 


CD 


ib 


INT immd 


CD 


ib 


INT immd 


CE 




INTO 


CE 




INTO 


CE 




INTO 


CE 




INTO 


CE 




INTO 



Clocks 

33 

pm= 59 

pm=99 

pm = 119 

ts 

37 

p/T7=59 

pm = 99 

pm = 119 

ts 

Fail:3,pm=3; Pass:35 

pm= 59 

pm= 99 

pn7=119 

ts 



Description 

Interrupt 3 -trap to debugger 
Interrupt 3 -Protected Mode, same privilege 
Interrupt 3 -Protected Mode, more privilege 
Interrupt 3 -from V86 mode to PL 
Interrupt 3 -Protected Mode, via task gate 
Interrupt numbered by immediate byte 
Interrupt- Protected Mode, same privilege 
Interrupt- Protected Mode, more privilege 
Interrupt -from V86 mode to PL 
Interrupt- Protected Mode, via task gate 
Interrupt 4 -if overflow flag is 1 
Interrupt 4 -Protected Mode, same privilege 
Interrupt 4 -Protected Mode, more privilege 
Interrupt 4 -from V86 mode to PL 
Interrupt 4 -Protected Mode, via task gate 



NOTE: Approximate values of ts are given by the following table: 



Old Task 


New Task 


386"' DXTSS 
VM = 


386 DX TSS 

VM = 1 


80286 TSS 


386 DX vM = 


309 


226 


282 


386 DX wiui ^ 1 
TSS 


314 


231 


287 


80286 
TSS 


307 


224 


280 



Operation 

NOTE: The following operational description applies not only to the above instructions 
but also to external interrupts and exceptions. 

IF PE = 

THEN GOTO REAL-ADDRESS-MODE; 

pELSE GOTO PROTECTED-MODE; 

Fl; 

REAL-ADDRESS-MODE: 
Push (FLAGS); 

IF ^ 0; (* Clear interrupt flag *) 
TF ^ 0; (* Clear trap flag *) 
Push(CS); 
Push(IP); 

(* No error codes are pushed *) 
OS ^ IDT[lnterrupt number * 4]. selector; 
IP ^ IDT[lnterrupt number * 4] .offset; 
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PROTECTED-MODE: 
Interrupt vector must be within IDT table limits, 

else #GP(vector number * 8 + 2 + EXT); 
Descriptor AR byte must indicate interrupt gate, trap gate, or task gate, 

else #GP(vector number * 8 + 2 + EXT); 
IF software interrupt (* i.e. caused by INT n, INT 3, or INTO *) 
THEN 

IF gate descriptor DPL < GPL 

THEN #GP(vector number * 8 + 2 + EXT); 

Fl; 
Fl; 

Gate must be present, else #NP(vector number * 8 + 2 + EXT); 
IF trap gate OR interrupt gate 
THEN GOTO TRAP-GATE-OR-INTERRUPT-GATE; 
ELSE GOTO TASK-GATE; 
Fl; 

TRAP-GATE-OR-INTERRUPT-GATE: 
Examine OS selector and descriptor given in the gate descriptor; 
Selector must be non-null, else #GP (EXT); 
Selector must be within its descriptor table limits 

ELSE #GP(selector + EXT); 
Descriptor AR byte must indicate code segment 

ELSE #GP(selector + EXT); 
Segment must be present, else #N P (selector + EXT); 

IF code segment is non-conforming AND DPL < GPL 
THEN GOTO INTERRUPT-TO-INNER-PRIVILEGE; 
ELSE 

IF code segment is conforming OR code segment DPL = CPL 

THEN GOTO INTERRUPT-TO-SAME-PRIVILEGE-LEVEL; 

ELSE #GP(CS selector + EXT); 

Fl; 
Fl; 

INTERRUPT-TO-INNER-PRIVILEGE: 
Check selector and descriptor for new stack in current TSS; 
Selector must be non-null, else #TS(EXT); 
Selector index must be within its descriptor table limits 

ELSE #TS(SS selector + EXT); 
Selector's RPL must equal DPL of code segment, else #TS(SS 

selector + EXT); 
Stack segment DPL must equal DPL of code segment, else #TS(SS 

selector + EXT); 
Descriptor must indicate writable data segment, else #TS(SS 

selector + EXT); 
Segment must be present, else #SS(SS selector + EXT); 
IF 32-bit gate 
THEN New stack must have room for 20 bytes else #SS(0) 
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ELSE New stack must have room for 10 bytes else #88(0) 

Fl; 

Instruction pointer must be within 08 segment boundaries else #GP(0); 

Load new SS and eSP value from 188; 

IF 32-blt gate 

THEN C8:EIP ^ selector:offset from gate; 

ELSE C8:IP ^ selector:offset from gate; 

Fl; 

Load 08 descriptor into invisible portion of 08 register; 

Load 88 descriptor into invisible portion of 88 register; 

IF 32-bit gate 

THEN 

Push (long pointer to old stack) (* 3 words padded to 4 *); 

Push (EFLAG8); 

Push (long pointer to return location) (* 3 words padded to 4*); 
ELSE 

Push (long pointer to old stack) (* 2 words *); 

Push (FLAGS); 

Push (long pointer to return location) (* 2 words *); 
Fl; 

Set OPL to new code segment DPL; 
Set RPL of OS to OPL; 

IF interrupt gate THEN IF ^ (* interrupt flag to (disabled) *); Fl; 
TF^O; 
NT^O; 



INTERRUPT-FROM-V86-MODE: 
TempEFIags ^ EFLAGS; 
VM ^0; 
TF ^ 0; 

IF service through Interrupt Gate THEN IF ^ 0; 
TempSS ^ 88; 
TempESP ^ ESP; 

88 <- TSS.SSO; (* Change to level stack segment *) 
ESP ^ TSS.ESPO; (* Change to level stack pointer *) 
Push(GS); (* padded to two words *) 
Push(FS); (* padded to two words *) 
Push(DS); (* padded to two words *) 
Push(E8); (* padded to two words *) 
GS ^ 0; 
FS ^ 0; 
DS <- 0; 
ES ^ 0; 

Push (TempSS); (* padded to two words *) 
Push(TempESP); 
Push(TempEFIags); 
Push(08); (* padded to two words *) 
Push(EIP); 
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CS:EIP <r- selector:offset from interrupt gate; 

(* Starts execution of new routine in 386 DX Protected Mode *) 

INTERRUPT-TO-SAME-PRIVILEGE-LEVEL: 
IF 32-bit gate 

THEN Current stack linnits must allow pushing 10 bytes, else #SS(0); 
ELSE Current stack limits must allow pushing 6 bytes, else #SS(0); 
Fl; 

IF interrupt was caused by exception with error code 
THEN Stack limits must allow push of two more bytes; 
ELSE #SS(0); 
Fl; 

Instruction pointer must be in CS limit, else #GP(0); 
IF 32-bit gate 
THEN 

Push (EFLAGS); 

Push (long pointer to return location); (* 3 words padded to 4 *) 

CS:EIP ^ selector-.offset from gate; 
ELSE (* 16-bit gate*) 

Push (FLAGS); 

Push (long pointer to return location); (* 2 words *) 

CS:IP ^ selector:offset from gate; 
Fl; 

Load CS descriptor into invisible portion of CS register; 
Set the RPL field of CS to CPL; 
Push (error code); (* if any *) 
IF interrupt gate THEN IF ^ 0; Fl; 
TF^O; 
NT^O; 

TASK-GATE: 
Examine selector to TSS, given in task gate descriptor; 

Must specify global in the local/global bit, else #TS(TSS selector); 

Index must be within GDT limits, else #TS(TSS selector); 

AR byte must specify available TSS (bottom bits 00001), 
else #TS(TSS selector; 

TSS must be present, else #NP(TSS selector); 
SWITCH-TASKS with nesting to TSS; 
IF interrupt was caused by fault with error code 
THEN 

Stack limits must allow push of two more bytes, else #SS(0); 

Push error code onto stack; 
Fl; 
Instruction pointer must be in CS limit, else #GP(0); 

Description 

The INT n instruction generates via software a call to an interrupt handler. The imme- 
diate operand, from to 255, gives the index number into the Interrupt Descriptor Table 
(IDT) of the interrupt routine to be called. In Protected Mode, the IDT consists of an 
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array of eight-byte descriptors; the descriptor for the interrupt invoked must indicate an 
interrupt, trap, or task gate. In Real Address Mode, the IDT is an array of four byte- 
long pointers. In Protected and Real Address Modes, the base linear address of the IDT 
is defined by the contents of the IDTR. 

The INTO conditional software instruction is identical to the INT n interrupt instruction 
except that the interrupt number is implicitly 4, and the interrupt is made only if the 
386 DX microprocessor overflow flag is set. 

The first 32 interrupts are reserved by Intel for system use. Some of these interrupts are 
use for internally generated exceptions. 

The INT n instruction generally behaves like a far call except that the flags register is 
pushed onto the stack before the return address. Interrupt procedures return via the 
IRET instruction, which pops the flags and return address from the stack. 

In Real Address Mode, the INT instruction n pushes the flags, the CS register, and the 
return IP onto the stack, in that order, then jumps to the long pointer indexed by the 
interrupt number. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP, #NP, #SS, and #TS as indicated under "Operation" above 

Real Address Mode Exceptions 

None; if the SP or ESP register is 1, 3, or 5 before executing the INT or INTO instruc- 
tion, the 386 DX microprocessor will shut down due to insufficient stack space 

Virtual 8086 Mode Exceptions 

#GP(0) fault if lOPL is less than 3, for the INT n instruction only, to permit emulation; 
Interrupt 3 (OCCH) generates a breakpoint exception; the INTO instruction generates 
an overflow exception if the OF flag is set 
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IRET/IRETD- Interrupt Return 



Opcode 


Instruction 


Clocks 


Description 


CF 


IRET 


22,p/T? = 38 


Interrupt return (far return and pop flags) 


CF 


IRET 


pm=82 


Interrupt return to lesser privilege 


CF 


IRET 


ts 


Interrupt return, different task (NT = 1) 


CF 


IRETD 


22,p/77=38 


Interrupt return (far return and pop flags) 


CF 


IRETD 


pm= 82 


Interrupt return to lesser privilege 


CF 


IRETD 


pm=60 


Interrupt return to V86 mode 


CF 


IRETD 


ts 


Interrupt return, different task (NT = 1) 



NOTE: Values of ts are given by the following table: 



Old Task 


New Task 


386 " DX TSS 
VM = 


386 DX TSS 
VM = 1 


80286 TSS 


386 DX VM = 


275 


223 


271 


80286 
TSS 


265 


213 


232 



Operation 

IF PE = 

THEN (* Real-address mode *) 
IF OperandSize = 32 (* Instruction = IRETD *) 
THEN EIP ^ PopO; 
ELSE (* Instruction = IRET *) 

IP <- PopO; 
Fl; 

CS ^ PopO; 

IF OperandSize = 32 (* Instruction = IRETD *) 
THEN EFLAGS <- PopO; 
ELSE (* Instruction = IRET *) 

FLAGS ^ PopO; 
Fl; 
ELSE (* Protected mode *) 
IF VM = 1 
THEN #GP(0); 
ELSE 
IF NT = 1 

THEN GOTO TASK-RETURN; 
ELSE 
IF VM = 1 in flags image on stack 
THEN GO TO STACK-RETURN-TO-V86; 
ELSE GOTO STACK-RETURN; 
Fl; 
Fl; 
Fl; 
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FI;STACK-RETURN-TO-V86: (* Interrupted procedure was in V86 mode *) 
IF top 36 bytes of stack not within limits 
THEN #SS(0); 
Fl; 

IF instruction pointer not within code segment limit THEN #GP(0); 
Fl; 

EFLAGS <- SS:[ESP + 8]; (* Sets VM in interrupted routine *) 
EIP^PopO; 

CS ^ PopO; (* CS behaves as in 8086, due to VM = 1 *) 
throwaway ^ Pop(); {* pop away EFLAGS already read *) 
TempESP ^ Pop(); 
TempSS ^ PopQ; 

ES ^ PopQ; (* pop 2 words; throw away high-order word *) 
DS ^ Pop(); (* pop 2 words; throw away high-order word *) 
FS ^ PopO; (* pop 2 words; throw away high-order word *) 
GS ^ PopO; (* pop 2 words; throw away high-order word *) 
SS:ESP ^ TempSS-.TempESP; 

(* Resume execution in Virtual 8086 mode *) 

TASK-RETURN: 
Examine Back Link Selector in TSS addressed by the current task 

register: 

Must specify global in the local/global bit, else #TS(new TSS selector); 

Index must be within GDT limits, else #TS(new TSS selector); 

AR byte must specify TSS, else #TS(new TSS selector); 

New TSS must be busy, else #TS(new TSS selector); 

TSS must be present, else #NP(new TSS selector); 
SWITCH-TASKS without nesting to TSS specified by back link selector; 
Mark the task just abandoned as NOT BUSY; 
Instruction pointer must be within code segment limit ELSE #GP(0); 

STACK-RETURN: 
IF OperandSlze = 32 

THEN Third word on stack must be within stack limits, else #SS(0); 
ELSE Second word on stack must be within stack limits, else #SS(0); 
Fl; 

Return CS selector RPL must be > CPL, else #GP(Return selector); 
IF return selector RPL = CPL 
THEN GOTO RETURN-SAME-LEVEL; 
ELSE GOTO RETURN-OUTER-LEVEL; 
Fl; 

RETURN-SAME-LEVEL: 
IF OperandSlze = 32 
THEN 
Top 12 bytes on stack must be within limits, else #SS(0); 
Return CS selector (at eSP + 4) must be non-null, else #GP(0); 
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ELSE 

Top 6 bytes on stack must be within limits, else #SS(0); 

Retum OS selector (at eSP + 2) must be non-null, else #GP(0); 
Fl; 
Selector index must be within its descriptor table limits, else #GP 

(Return selector); 
AR byte must indicate code segment, else #GP(Return selector); 
IF non-conforming 

THEN code segment DPL must = CPL; 
ELSE #GP(Return selector); 
Fl; 

IF conforming 

THEN code segment DPL must be < CPL, else #GP(Return selector); 
Segment must be present, else #NP(Return selector); 
Instruction pointer must be within code segment boundaries, else #GP(0); 
Fl; 

IF OperandSize = 32 
THEN 

Load CS:EIP from stack; 

Load CS-register with new code segment descriptor; 

Load EFLAGS with third doubleword from stack; 

Increment eSP by 12; 
ELSE 

Load CS-register with new code segment descriptor; 

Load FLAGS with third word on stack; 

Increment eSP by 6; 

RETURN-OUTER-LEVEL: 
IFOperandSize = 32 

THEN Top 20 bytes on stack must be within limits, else #SS(0); 
ELSE Top 10 bytes on stack must be within limits, else #SS(0); 
Fl; 
Examine return CS selector and associated descriptor: 

Selector must be non-null, else #GP(0); 

Selector index must be within its descriptor table limits; 
ELSE #GP(Return selector); 

AR byte must indicate code segment, else #GP(Return selector); 

IF non-conforming 

THEN code segment DPL must = CS selector RPL; 

ELSE #GP(Return selector); 

Fl; 

IF conforming 

THEN code segment DPL must be > CPL; 

ELSE #GP(Return selector); 

Fl; 

Segment must be present, else #NP(Return selector); 



Examine return SS selector and associated descriptor: 
Selector must be non-null, else #GP(0); 
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Selector index must be within its descriptor table linnits 

ELSE #GP(SS selector); 
Selector RPL must equal the RPL of the return CS selector 

ELSE #GP(SS selector); 
AR byte must indicate a writable data segment, else #GP(SS selector); 
Stack segment DPL must equal the RPL of the return CS selector 

ELSE #GP(SS selector); 
SS must be present, else #NP(SS selector); 

Instruction pointer must be within code segment limit ELSE #GP(0); 

IF OperandSize = 32 

THEN 

Load CS:EIP from stack; 

Load EFLAGS with values at (eSP + 8); 
ELSE 

Load CS:IP from stack; 

Load FLAGS with values at (eSP + 4); 
Fi; 

Load SS:eSP from stack; 
Set CPL to the RPL of the return CS selector; 
Load the CS register with the CS descriptor; 
Load the SS register with the SS descriptor; 
FOR each of ES, FS, GS, and DS 
DO; 

IF the current value of the register is not valid for the outer level; 

THEN zero the register and clear the valid flag; 

FI; 

To be valid, the register setting must satisfy the following properties: 
Selector index must be within descriptor table limits; 
AR byte must indicate data or readable code segment; 
IF segment is data or non-conforming code, 
THEN DPL must be > CPL, or DPL must be > RPL; 
OD; 

Description 

In Real Address Mode, the IRET instruction pops the instruction pointer, the CS reg- 
ister, and the flags register from the stack and resumes the interrupted routine. 

In Protected Mode, the action of the IRET instruction depends on the setting of the 
nested task flag (NT) bit in the flag register. When the new flag image is popped from 
the stack, the lOPL bits in the flag register are changed only when CPL equals 0. 

If the NT flag is cleared, the IRET instruction returns from an interrupt procedure 
without a task switch. The code returned to must be equally or less privileged than the 
interrupt routine (as indicated by the RPL bits of the CS selector popped from the 
stack). If the destination code is less privileged, the IRET instruction also pops the stack 
pointer and SS from the stack. 
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If the NT flag is set, the IRET instruction reverses the operation of a CALL or INT that 
caused a task switch. The updated state of the task executing the IRET instruction is 
saved in its task state segment. If the task is reentered later, the code that follows the 
IRET instruction is executed. 

Flags Affected 

All flags are affected; the flags register is popped from stack 

Protected Mode Exceptions 

#GP, #NP, or #SS, as indicated under "Operation" above 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand being popped lies beyond address OFFFFH 

Virtual 8086 Mode Exceptions 

#GP(0) fault if the I/O privilege level is less than 3, to permit emulation 
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Jcc — Jump if Condition is Met 



Opcode 


Instruction 


Clocks 


Description 


11 cb 


JA rel8 


7 + A77,3 


Jump short if above (CF = and ZF = 0) 


73 cb 


JAE rel8 


7 + A77,3 


Jump short if above or equal (CF = 0) 


72 cb 


JB re/S 


7 + m,3 


Jump short if below (CF = 1) 


76 cb 


JBE rel8 


l + m,3 


Jump short if below or equal (CF = 1 or ZF = 1) 


72 cb 


JC re/5 


l + m,3 


Jump short if carry (CF = 1) 


E3 cb 


JCXZ re/e 


9 + m,5 


Jump short if CX register is 


E3 cb 


JECXZ relS 


9 + m,5 


Jump short if ECX register is 


14 cb 


JE re/5 


l + m,3 


Jump short if equal (ZF= 1) 


74 cb 


JZ rel8 


l + m,3 


Jump short if (ZF=1) 

Jump short if greater (ZF = and SF=OF) 


7F cb 


JG re/5 


l + m,3 


7D cb 


JGE re/5 


l + m,3 


Jump short if greater or equal (SF = OF) 


7C cb 


JL rel8 


l + m,3 


Jump short if less (SF< >0F) 


7E c/p 


JLE re/5 


l + m,3 


Jump short if less or equal (ZF=1 or SF< >0F) 
Jump short if not above (CF = 1 or ZF= 1) 


76 cb 


JNA rel8 


l + m,3 


72 cb 


JNAE re/5 


l + m,3 


Jump short if not above or equal (CF= 1) 


73 c5 


JNB re/5 


l + m,3 


Jump short if not below {CF = 0) 


77 cb 


JNBE rel8 


l + m,3 


Jump short if not below or equal (CF = and ZF = 0) 


73 cjb 


JNC re/5 


1 + m,3 


Jump short if not carry (CF = 0) 


75 c/5 


JNE rel8 


l + m,3 


Jump short if not equal (ZF = 0) 


7E cb 


J NO /-e/5 


l + m,3 


Jump short if not greater (ZF = 1 or SF< >0F) 


7C ct) 


JNGE re/5 


l + m,3 


Jump short if not greater or equal (SF< >0F) 


7D cb 


JNL rel8 


l + m,3 


Jump short if not less (SF = OF) 


7F ct» 


JNLE re/5 


l + m,3 


Jump short if not less or equal (ZF = and SF = OF) 


71 c5 


JNO rel8 


l + m,3 


Jump short if not overflow (OF = 0) 


IB cb 


JNP re/5 


l + m,3 


Jump short if not parity (PF = 0) 


79 cjb 


JNS re/5 


l + m,3 ■ 


Jump short if not sign (SF^O) 


75 cfc> 


JNZ rel8 


7 + m,3 


Jump short if not zero (ZF = 0) 


70 cb 


JO re/5 


7 + m,3 


Jump short if overflow (OF = 1 ) 


7A ct> 


JP rel8 


7 + An,3 


Jump short if parity (PF = 1) 


7A cb 


JPE re/5 


l + m,3 


Jump short if parity even (PF = 1) 
Jump short if parity odd (PF = 0) 


7B cfc> 


JPO re/5 


l + m,3 


78 ct) 


JS rel8 


l + m,3 


Jump short if sign (SF = 1 ) 
Jump short if zero (ZF = 1) 


74 ct> 


JZ re/5 


l + m,3 


OF 87 cw/cc/ 


JA re/r5/32 


l + m,3 


Jump near if above (CF = and ZF=0) 


OF 83 cw/cd 


JAE rel16/32 


l + m,3 


Jump near if above or equal (CF = 0) 


OF 82 cw/cd 


JB re/r5/52 


l + m,3 


Jump near if below (CF = 1 ) 


OF 86 civ/cc/ 


JBE re/76/32 


l + m,3 


Jump near if below or equal (CF = 1 or ZF = 1 ) 


OF 82 cw/cd 


JC rel16/32 


l + m,3 


Jump near if carry (CF= 1) 


OF 84 ctv/cd 


JE re/r6/32 


l + m,3 


Jump near if equal (ZF= 1) 


OF 84 cw/cd 


JZ rel16/32 


l + m,3 


Jump near if (ZF=1) 

Jump near if greater (ZF = and SF = OF) 


OF 8F civ/cc/ 


JG re/75/32 


l + m,3 


OF 8D cw/cd 


JGE rel16/32 


l + m,3 


Jump near if greater or equal (SF = OF) 


OF 8C cw/cd 


JL rel16/32 


l + m,3 


Jump near if less (SF< >0F) 


OF 8E civ/cc/ 


JLE re/75/32 


l + m,3 


Jump near if less or equal (ZF = 1 or SF <> OF) 


OF 86 cw/cd 


JNA re/75/32 


l + m,3 


Jump near if not above (CF=1 or ZF=1) 


OF 82 civ/ccy 


JNAE re/75/32 


l + m,3 


Jump near if not above or equal (CF=1) 


OF 83 cw/cd 


JNB rel16/32 


l + m,3 


Jump near if not below (CF = 0) 


OF 87 civ/cd 


JNBE re/75/32 


l + m,3 


Jump near if not below or equal (CF = and ZF = 0) 


OF 83 cw/cd 


JNC re/75/32 


l + m,3 


Jump near if not carry (CF = 0) 


OF 85 cw/cd 


JNE rel16/32 


l + m,3 


Jump near if not equal (ZF = 0) 


OF 8E civ/cd 


JNG re/75/32 


l + m,3 


Jump near if not greater (ZF = 1 or SF <> OF) 


OF 8C cw/cd 


JNGE re/75/32 


l + m,3 


Jump near if not greater or equal (SFoOF) 
Jump near if not less (SF = OF) 


OF 8D cw/ccy 


JNL rel16/32 


l + m,3 


OF 8F cw/cd 


JNLE re/75/32 


l + m,3 


Jump near if not less or equal (ZF = and SF = OF) 
Jump near if not overflow (OF = 0) 


OF 81 cw/cd 


JNO rel16/32 


l + m,3 


OF 8B cw/cd 


JNP rel16/32 


l + m,3 


Jump near if not parity (PF = 0) 


OF 89 civ/cd 


JNS re/75/32 


l + m,3 


Jump near if not sign (SF = 0) 
Jump near if not zero (ZF = 0) 


OF 85 cw/cd 


JNZre/75/32 


l + m,3 


OF 80 cw/cd 


JO re/75/32 


l + m,3 


Jump near if overflow (OF = 1 ) 
Jump near if parity (PF = 1) 


OF 8A cvv/cGf 


JP rel16/32 


7 + AT7,3 


Opcode 


Instruction 


Clocks 


Description 


OF 8A cw/cd 


JPE rel16/32 


7 + m,3 


Jump near if parity even (PF = 1) 


OF 8B cw/cd 


JPO rel16/32 


7 + A77,3 


Jump near if parity odd (PF = 0) 


OF 88 cw/cd 


JS re/75/32 


7 + m,3 


Jump near if sign (SF = 1 ) 


OF 84 cw/cd 


JZ rel16/32 


7 + m,3 





NOTES: The first clock count is for the true condition (branch taken); the second clock count is for the false condition 
(branch not taken). rel16/32 indicates that these instructions map to two; one with a 1 6-bit relative displacement, 
the other with a 32-bit relative displacement, depending on the operand-size attribute of the instruction. 
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Operation 

IF condition 
THEN 

EIP ^ EIP + S'\gnExten6(rel8/16/32}] 

IF OperandSize = 16 

THEN EIP <- EIP AND OOOOFFFFH; 

Fl; 
Fl; 



Description 

Conditional jumps (except the JCXZ instruction) test the flags which have been set by a 
previous instruction. The conditions for each mnemonic are given in parentheses after 
each description above. The terms "less" and "greater" are used for comparisons of 
signed integers; "above" and "below" are used for unsigned integers. 

If the given condition is true, a jump is made to the location provided as the operand. 
Instruction coding is most efficient when the target for the conditional jump is in the 
current code segment and within - 128 to + 127 bytes of the next instruction's first byte. 
The jump can also target -32768 thru +32767 (segment size attribute 16) or -2^^ thru 
+ 2-^-1 (segment size attribute 32) relative to the next instruction's first byte. When the 
target for the conditional jump is in a different segment, use the opposite case of the 
jump instruction (i.e., the JE and JNE instructions), and then access the target with an 
unconditional far jump to the other segment. For example, you cannot code — 

JZ FARLABEL; 

You must instead code — 

JNZ BEYOND; 
jnP FARLABEL; 
BEYDND: 

Because there can be several ways to interpret a particular state of the flags, ASM386 
provides more than one mnemonic for most of the conditional jump opcodes. For exam- 
ple, if you compared two characters in AX and want to jump if they are equal, use the JE 
instruction; or, if you ANDed the AX register with a bit field mask and only want to 
jump if the result is 0, use the JZ instruction, a synonym for the JE instruction. 

The JCXZ instruction differs from other conditional jumps because it tests the contents 
of the CX or ECX register for 0, not the flags. The JCXZ instruction is useful at the 
beginning of a conditional loop that terminates with a conditional loop instruction (such 
asLDDPNE TARGET LABEL. The JCXZ instruction prevents entering the loop with the 
CX or ECX register equal to zero, which would cause the loop to execute 64K or 32G 
times instead of zero times. 
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Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) if the offset jumped to is beyond the Hmits of the code segment 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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JMP-Jump 



Opcode 


Instruction 


Clocks 


Description 


EB cb 


JMP rel8 


7 + m 


Jump short 


E9 cw 


JMP re/ye 


7 + m 


Jump near, displacement relative to next instruction 


FF /4 


JMP r/m16 


7 + m/^ + m 


Jump near indirect 


EA cd 


JMP ptr16:16 


12 + m,pm = 27 + m 


Jump intersegment, 4-byte immediate address 


EA cd 


MP ptr16:16 


pm=^45 + m 


Jump to call gate, same privilege 


EA cd 


JMP ptr16:16 


ts 


Jump via task state segment 


EA cd 


MP ptr16:16 


ts 


Jump via task gate 


FF /5 


JMP my6;)6 


43 + m,pm= 31 +m 


Jump r/m 76; y 6 indirect and intersegment 


FF /5 


JMP m^e.-te 


pm = 49 + /r; 


Jump to call gate, same privilege 


FF /5 


JMP m)6;-/6 


5 + ts 


Jump via task state segment 


FF /5 


JMP m16:16 


5 + ts 


Jump via task gate 


E9 cd 


JMP re/32 


7 + m 


Jump near, displacement relative to next instruction 


FF /4 


JMP r/m32 


7 + m/1 + m 


Jump near, indirect 


EA cp 


JMP ptr16:32 


12 + /77,pm-=27 + m 


Jump intersegment, 6-byte immediate address 


EA cp 


JMP pfrf6;32 


pm = 45 + m 


Jump to call gate, same privilege 


EA cp 


JMP ptr16:32 


ts 


Jump via task state segment 


EA cp 


JMP pfrt6;32 


ts 


Jump via task gate 


FF /5 


JMP mr6;32 


43 + Ar?,pm=31 +m 


Jump intersegment, address at r/m dword 


FF /5 


JMP m16:32 


pm- 49 + m 


Jump to call gate, same privilege 


FF /5 


JMP m 76:32 


5 + ts 


Jump via task state segment 


FF /5 


JMP m16:32 


5 + ts 


Jump via task gate 



NOTE: Values of ts are given by the following table: 



Old Task 


New Task 


386™ DX TSS 
VM = 


386 DX TSS 

VM = 1 


80286 TSS 


Via Task Gate? 


N 


Y 


N 


Y 


N 


Y 


386 DX viyj^Q 


392 


401 


309 


321 


285 


294 


80286 
TSS 


310 


316 


229 


238 


285 


294 



Operation 

IF instruction = relative JMP 

(* i.e. operand is rel8, rel16, or rel32 '■ 
THEN 

EIP ^ EIP 4- rel8/16/32; 

IF OperandSize = 16 

THEN EIP ^ EIP AND OOOOFFFFH; 

Fl; 
Fi; 
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IF instruction = near indirect JMP 

(* i.e. operand is r/m16 or r/m32 *) 
THEN 

IF OperandSize = 16 

THEN 
EIP ^ [r/m16 AND OOOOFFFFH; 

ELSE (* OperandSize = 32 *) 
EIP ^ lr/m32; 

Fl; 
Fl; 

IF (PE = OR (PE = 1 AND VM - 1)) (* real mode or V86 mode *) 
AND instruction = far JMP 

(* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32*) 
THEN GOTO REAL-OR-V86-MODE; 
IF operand type = m16:16 or m16:32 
THEN (* indirect *) 
IF OperandSize = 16 
THEN 
CS:IP ^ [m16:16; 

EIP <- EIP AND OOOOFFFFH; (* clear upper 16 bits *) 
ELSE (* OperandSize = 32 *) 

CS:EIP ^ [m16:32; 
Fl; 
Fl; 

IF operand type = ptr16:16 or ptr16:32 
THEN 
IF OperandSize = 16 
THEN 
CS:IP ^ ptr16:16; 

EIP ^ EIP AND OOOOFFFFH; (* clear upper 16 bits *) 
ELSE (* OperandSize = 32 *) 

CS:EIP ^ ptr16:32\ 
Fl; 
Fl; 
Fl; 

IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *) 

AND instruction = far JMP 
THEN 

IF operand type = m16:16 or m16:32 

THEN (* indirect*) 
check access of EA dword; 
#GP(0) or #SS(0) IF limit violation; 

Fl; 

Destination selector is not null ELSE #GP(0) 

Destination selector index is within its descriptor table limits ELSE 
#GP(selector) 

Depending on AR byte of destination descriptor: 
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GOTO CONFORMING-CODE-SEGMENT; 
GOTO NONCONFORMING-CODE-SEGMENT; 
GOTO CALL-GATE; 
GOTO TASK-GATE; 
GOTO TASK-STATE-SEGMENT; 
ELSE #GP(selector); (* illegal AR byte in descriptor *) 
Fl; 

CONFORMING-CODE-SEGMENT: 
Descriptor DPL must be < CPL ELSE #GP(selector); 
Segment must be present ELSE #NP(selector); 
Instruction pointer must be within code-segment limit ELSE #GP(0); 
IF OperandSize = 32 

THEN Load CS:EIP from destination pointer; 
ELSE Load CS:IP from destination pointer; 
Fl; 
Load OS register with new segment descriptor; 

NONCONFORMING-CODE-SEGMENT: 
RPL of destination selector must be < CPL ELSE #GP(selector); 
Descriptor DPL must be = CPL ELSE #GP(selector); 
Segment must be present ELSE # NP(selector); 
Instruction pointer must be within code-segment limit ELSE #GP(0); 
IF OperandSize = 32 

THEN Load CS:EIP from destination pointer; 
ELSE Load CS:IP from destination pointer; 
Fl; 

Load CS register with new segment descriptor; 
Set RPL field of CS register to CPL; 

CALL-GATE: 
Descriptor DPL must be > CPL ELSE #GP(gate selector); 
Descriptor DPL must be > gate selector RPL ELSE #GP(gate selector); 
Gate must be present ELSE #NP(gate selector); 
Examine selector to code segment given in call gate descriptor: 

Selector must not be null ELSE #GP(0); 

Selector must be within its descriptor table limits ELSE 
#GP(CS selector); 

Descriptor AR byte must indicate code segment 
ELSE #GP(CS selector); 

IF non-conforming 

THEN code-segment descriptor, DPL must = CPL 

ELSE #GP(CS selector); 

Fl; 

IF conforming 

THEN code-segment descriptor DPL must be < CPL; 

ELSE #GP(CS selector); 

Code segment must be present ELSE #NP(CS selector); 

Instruction pointer must be within code-segment limit ELSE #GP(0); 
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IF OperandSize = 32 

THEN Load CSiElP from call gate; 

ELSE Load CS:IP from call gate; 

Fl; 
Load OS register with new code-segment descriptor; 
Set RPL of OS to CPL 



TASK-GATE: 
Gate descriptor DPL must be > CPL ELSE #GP(gate selector); 
Gate descriptor DPL must be > gate selector RPL ELSE #GP(gate selector); 
Task Gate must be present ELSE #NP(gate selector); 
Examine selector to TSS, given in Task Gate descriptor: 

Must specify global in the local/global bit ELSE #GP(TSS selector); 

Index must be within GDT limits ELSE #GP(TSS selector); 

Descriptor AR byte must specify available TSS (bottom bits 00001); 
ELSE #GP(TSS selector); 

Task State Segment must be present ELSE #NP(TSS selector); 
SWITCH-TASKS (without nesting) to TSS; 
Instruction pointer must be within code-segment limit ELSE #GP(0); 

TASK-STATE-SEGMENT: 
TSS DPL must be > CPL ELSE #GP(TSS selector); 
TSS DPL must be > TSS selector RPL ELSE #GP(TSS selector); 
Descriptor AR byte must specify available TSS (bottom bits 00001) 

ELSE #GP(TSS selector); 
Task State Segment must be present ELSE #NP(TSS selector); 
SWITCH-TASKS (without nesting) to TSS; 
Instruction pointer must be within code-segment limit ELSE #GP(0); 



Description 

The JMP instruction transfers control to a different point in the instruction stream 
without recording return information. 

The action of the various forms of the instruction are shown below. 

Jumps with destinations of type r/m16, r/m32, rel16, and rel32 are near jumps and do not 
involve changing the segment register value. 

The JMP relW and JMP rel32 forms of the instruction add an offset to the address of the 
instruction following the JMP to determine the destination. The re/76 form is used when 
the instruction's operand-size attribute is 16 bits (segment size attribute 16 only); rel32 is 
used when the operand-size attribute is 32 bits (segment size attribute 32 only). The 
result is stored in the 32-bit EIP register. With rel16, the upper 16 bits of the EIP register 
are cleared, which results in an offset whose value does not exceed 16 bits. 

17-89 



intel' 



386 " DX MICROPROCESSOR INSTRUCTION SET 



The JMP r/m16 and JMP r/m32 forms specify a register or memory location from which 
the absolute offset from the procedure is fetched. The offset fetched from r/m is 32 bits 
for an operand-size attribute of 32 bits (r/m32), or 16 bits for an operand-size attribute of 
16 bits (r/m16). 

The JMP ptr16:16 and ptr16:32 forms of the instruction use a four-byte or six-byte oper- 
and as a long pointer to the destination. The JMP m16:16 and m 16:32 forms fetch the 
long pointer from the memory location specified (indirection). In Real Address Mode or 
Virtual 8086 Mode, the long pointer provides 16 bits for the CS register and 16 or 32 bits 
for the EIP register (depending on the operand-size attribute). In Protected Mode, both 
long pointer forms consult the Access Rights (AR) byte in the descriptor indexed by the 
selector part of the long pointer. Depending on the value of the AR byte, the jump will 
perform one of the following types of control transfers: 

• A jump to a code segment at the same privilege level 

• A task switch 

For more information on protected mode control transfers, refer to Chapter 6 and 
Chapter 7. 

Flags Affected 

All if a task switch takes place; none if no task switch occurs 

Protected Mode Exceptions 

Far jumps: #GP, #NP, #SS, and #TS, as indicated in the list above. 

Near direct jumps: #GP(0) if procedure location is beyond the code segment limits. 

Near indirect jumps: #GP(0) for an illegal memory operand effective address in the CS, 
DS, ES, FS, or GS segments: #SS(0) for an illegal address in the SS segment; #GP if the 
indirect offset obtained is beyond the code segment limits; #PF(fault-code) for a page 
fault. 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would be outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as under Real Address Mode; #PF(fault-code) for a page fault 
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LAHF- 


-Load Flags into AH Register 


Opcode 

9F 


Instruction Clocks Description 

LAHF 2 Load: AH = flags SF ZF xx AF xx PF xx CF 



Operation 

AH ^ SF:ZF:xx:AF:xx:PF:xx:CF; 

Description 

The LAHF instruction transfers the low byte of the flags word to the AH register. The 
bits, from MSB to LSB, are sign, zero, indeterminate, auxiUary, carry, indeterminate, 
parity, indeterminate, and carry. 

Flags Affected 

None 

Protected Mode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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LAR- 


"Load Access Rights Byte 




Opcode 

OF 02 Ir 
OF 02 Ir 


Instruction Clocks 

LAR r16,r/m16 pm = 15/16 
LAR r32, r/m32 pm = 1 5/1 6 


Description 

r16^ r/m16 masked by FFOO 
r32 ^ r/m32 masked by OOFxFFOO 



Description 

The LAR instruction stores a marked form of the second doubleword of the descriptor 
for the source selector if the selector is visible at the current privilege level (modified by 
the selector's RPL) and is a valid descriptor type. The destination register is loaded with 
the high-order doubleword of the descriptor masked by OOFxFFOO, and the ZF flag is set. 
The X indicates that the four bits corresponding to the upper four bits of the limit are 
undefined in the value loaded by the LAR instruction. If the selector is invisible or of 
the wrong type, the ZF flag is cleared. 

If the 32-bit operand size is specified, the entire 32-bit value is loaded into the 32-bit 
destination register. If the 16-bit operand size is specified, the lower 16-bits of this value 
are stored in the 16-bit destination register. 

All code and data segment descriptors are valid for the LAR instruction. 

The valid special segment and gate descriptor types for the LAR instruction are given in 
the following table: 



Type 


Name 


Valid/Invalid 





Invalid 


Invalid 


1 


Available 80286 TSS 


Valid 


2 


LDT 


Valid 


3 


Busy 80286 TSS 


Valid 


4 


80286 call gate 


Valid 


5 


80286/386^" DX task gate 


Valid 


6 


80286 trap gate 


Valid 


7 


80286 interrupt gate . 


Valid 


8 


Invalid 


Invalid 


9 


Available 386 DX TSS 


Valid 


A 


Invalid 


Invalid 


B 


Busy 386 DX TSS 


Valid 


C 


386 DX call gate 


Valid 


D 


Invalid 


Invalid 


E 


386 DX trap gate 


Valid 


F 


386 DX interrupt gate 


Valid 



Flags Affected 

The ZF flag is set unless the selector is invisible or of the wrong type, in which case the 
ZF flag is cleared. 



17-92 



Itit^® 386™ DX MICROPROCESSOR INSTRUCTION SET 

Protected Mode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 6; the LAR instruction is unrecognized in Real Address Mode 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode 
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LEA — Load Effective Address 



Opcode 


Instruction 


C 


8D Ir 
8D Ir 
8D Ir 
BD Ir 


LEA r16,m 
LEA r32,m 
LEA r16,m 
LEA r32,m 


2 
2 
2 
2 



Clocks 



Description 

Store effective address for m in register r16 
Store effective address for m in register r32 
Store effective address for m in register r16 
Store effective address for m in register r32 



Operation 

IF OperandSize = 16 AND AddressSize = 16 
THEN r16<-M6x{m)\ 
ELSE 
IF OperandSize = 16 AND AddressSize = 32 
THEN 

r16 <- Truncate_to_1 6bits(Addr(m)); (* 32-bit address *) 
ELSE 
IF OperandSize = 32 AND AddressSize = 16 
THEN 

r32<- Truncate_to_16bits(Addr(m)); 
ELSE 
IF OperandSize = 32 AND AddressSize = 32 
THEN r32^ Addr(m); 
Fl; 
Fl; 
Fl; 
Fl; 



Description 

The LEA instruction calculates the effective address (offset part) and stores it in the 
specified register. The operand-size attribute of the instruction (represented by Oper- 
andSize in the algorithm under "Operation" above) is determined by the chosen regis- 
ter. The address-size attribute (represented by AddressSize) is determined by the USE 
attribute of the segment containing the second operand. The address-size and operand- 
size attributes affect the action performed by the LEA instruction, as follows: 



Operand Size 


Address Size 


Action Performed 


16 


16 


16-bit effective address is calculated and stored in re- 
quested 16-bit register destination. 


16 


32 


32-bit effective address is calculated. The lower 16 
bits of the address are stored in the requested 16-bit 
register destination. 


32 


16 


16-bit effective address is calculated. The 16-bit ad- 
dress is zero-extended and stored in the requested 
32-bit register destination. 



17-94 



Intel' 



386™ DX MICROPROCESSOR INSTRUCTION SET 



Operand Size 


Address Size 


Action Performed 


32 


32 


32-bit effective address is calculated and stored in the 
requested 32-bit register destination. 



Flags Affected 

None 

Protected Mode Exceptions 

#UD if the second operand is a register 

Real Address Mode Exceptions 

Interrupt 6 if the second operand is a register 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode 
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LEAVE - High Level Procedure Exit 



Opcode Instruction Clocks Description 

C9 LEAVE 4 Set SP to BP, then pop BP 

C9 LEAVE 4 Set ESP to EBP, then pop EBP 



Operation 

IF StackAddrSize = 16 
THEN 

SP ^ BP; 
ELSE (* StackAddrSize = 32 *) 

ESP ^ EBP; 
Fl; 

IF OperandSize = 16 
THEN 

BP^PopO; 
ELSE (* OperandSize = 32 *) 

EBP <- PopO; 
Fl; 

Description 

The LEAVE instruction reverses the actions of the ENTER instruction. By copying the 
frame pointer to the stack pointer, the LEAVE instruction releases the stack space used 
by a procedure for its local variables. The old frame pointer is popped into the BP or 
EBP register, restoring the caller's frame. A subsequent RET nn instruction removes any 
arguments pushed onto the stack of the exiting procedure. 

Flags Affected 

None 

Protected IVIode Exceptions 

#SS(0) if the BP register does not point to a location within the limits of the current 
stack segment 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode 
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LGDT/LIDT— Load Global/interrupt Descriptor Table Register 



Opcode Instruction Clocks Description 

OF 01 /2 LGDT m16&32 1 1 Load m into GDTR 

OF 01 /3 LIDT m16&32 1 1 Load m into IDTR 



Operation 

IF instruction = LIDT 
THEN 

IF OperandSize = 16 

THEN IDTR.Limit:Base ^ m16:24 (* 24 bits of base loaded *) 

ELSE IDTR.Limit:Base ^ m16:32 

Fl; 
ELSE (* instruction = LGDT *) 

IF OperandSize = 16 

THEN GDTR.Limit:Base ^ m16:24 (* 24 bits of base loaded *) 

ELSE GDTR.Limit:Base ^ m16:32; 

Fl; 
Fl; 



Description 

The LGDT and LIDT instructions load a linear base address and limit value from a 
six-byte data operand in memory into the GDTR or IDTR, respectively. If a 16-bit 
operand is used with the LGDT or LIDT instruction, the register is loaded with a 16-bit 
limit and a 24-bit base, and the high-order eight bits of the six-byte data operand are not 
used. If a 32-bit operand is used, a 16-bit limit and a 32-bit base is loaded; the high-order 
eight bits of the six-byte operand are used as high-order base address bits. 

The SGDT and SIDT instructions always store into all 48 bits of the six-byte data oper- 
and. With the 80286, the upper eight bits are undefined after the SGDT or SIDT in- 
struction is executed. With the 386 DX microprocessor, the upper eight bits are written 
with the high-order eight address bits, for both a 16-bit operand and a 32-bit operand. If 
the LGDT or LIDT instruction is used with a 16-bit operand to load the register stored 
by the SGDT or SIDT instruction, the upper eight bits are stored as zeros. 

The LGDT and LIDT instructions appear in operating system software; they are not 
used in application programs. They are the only instructions that directly load a linear 
address (i.e., not a segment relative address) in 386 DX microprocessor Protected Mode. 



Flags Affected 

None 

17-97 



intei"^ 386™ DX MICROPROCESSOR INSTRUCTION SET 

Protected Mode Exceptions 

#GP(0) if the current privilege level is not 0; #UD if the source operand is a register; 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH; Interrupt 6 if the source operand is a register 

Note: These instructions are valid in Real Address Mode to allow power-up initialization 
for Protected Mode 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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LGS/LSS/LDS/LES/LFS-Load Full Pointer 



Opcode 


Instruction 


Clocks 


Description 


C5 Ir 


LDS r16,m16:16 


7,p/T7 = 26 


Load DS:ry6 with pointer from memory 


C5 Ir 


LDS r32,m16:32 


7,p/7? = 28 


Load DS.T32with pointer from memory 


OF B2 Ir 


LSS r16,m16:16 


7,pm-26 


Load SS:rr6with pointer from memory 


OF B2 Ir 


LSS r32,m16:32 


7,pr77-28 


Load SS:r32with pointer from memory 


C4 Ir 


LES r16,m16:16 


7,p/77 = 26 


Load ES:rt6witli pointer from memory 


C4 Ir 


LES r32,m16:32 


7,pm-28 


Load ES:r32 with pointer from memory 


OF B4 Ir 


IFS r16,m16:16 


7,pm = 29 


Load FS.rrewith pointer from memory 


OF 84 /r 


LFS r32,m 16:32 


7,pmS^ 


Load FS:r32with pointer from memory 


OF 85 Ir 


LGS r16,m16:16 


7,pm-29 


Load GS:ry6 with pointer from memory 


OF 85 Ir 


LGS r32,m16:32 


7,pm=31 


Load GS:f32with pointer from memory 



Operation 

CASE instruction OF 
LSS: Sreg is SS; (* Load SS register *) 
LDS: Sreg is DS; (* Load DS register *) 
LES: Sreg is ES; (* Load ES register *) 
LFS: Sreg is FS; (* Load FS register *) 
LGS: Sreg is DS; (* Load GS register *) 

ESAC; 

IF (OperandSize = 16) 

THEN 
r16^ [Effective Address]; (* 16-bit transfer *) 
Sreg ^ [Effective Address + 2]; (* 16-bit transfer *) 
(* In Protected IVIode, load the descriptor into the segment register *) 

ELSE (* OperandSize = 32 *) 
r32 ^ [Effective Address]; (* 32-bit transfer *) 
Sreg ^ [Effective Address + 4]; (* 16-bit transfer *) 
(* In Protected Mode, load the descriptor into the segnnent register *) 

Fl; 



Description 



Tlie LGS, LSS, LDS, LES, and LFS instructions read a full pointer from memory and 
store it in the selected segment register:register pair. The full pointer loads 16 bits into 
the segment register SS, DS, ES, FS, or GS. The other register loads 32 bits if the 
operand-size attribute is 32 bits, or loads 16 bits if the operand-size attribute is 16 bits. 
The other 16- or 32-bit register to be loaded is determined by the r16 or r32 register 
operand specified. 

When an assignment is made to one of the segment registers, the descriptor is also 
loaded into the segment register. The data for the register is obtained from the descrip- 
tor table entry for the selector given. 
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A null selector (values 0000-0003) can be loaded into DS, ES, FS, or GS registers with- 
out causing a protection exception. (Any subsequent reference to a segment whose cor- 
responding segment register is loaded with a null selector to address memory causes a 
#GP(0) exception. No memory reference to the segment occurs.) 

The following is a listing of the Protected Mode checks and actions taken in the loading 
of a segment register: 

IF SS is loaded: 
IF selector is null THEN #GP(0); Fl; 
Selector index must be within its descriptor table limits ELSE 

#GP(selector); 
Selector's RPL must equal GPL ELSE #GP(selector); 
AR byte must indicate a writable data segment ELSE #GP(selector); 
DPL in the AR byte must equal GPL ELSE #GP(selector); 
Segment must be marked present ELSE #SS (selector); 
Load SS with selector; 
Load SS with descriptor; 

IF DS, ES, FS, or GS is loaded with non-null selector: 
Selector index must be within its descriptor table limits ELSE 

#GP(selector); 
AR byte must indicate data or readable code segment ELSE 

#GP(selector); 
IF data or nonconforming code 
THEN both the RPL and the GPL must be less than or equal to DPL in 

AR byte; 
ELSE #GP(selector); 

Segment must be marked present ELSE #NP(selector); 
Load segment register with selector and RPL bits; 
Load segment register with descriptor; 

IF DS, ES, FS or GS is loaded with a null selector: 
Load segment register with selector; 
Glear descriptor valid bit; 



Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; the second operand must be 
a memory operand, not a register; #GP(0) if a null selector is loaded into SS; #PF(fault- 
code) for a page fault 
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Real Address Mode Exceptions 

The second operand must be a memory operand, not a register; Interrupt 13 if any part 
of the operand would lie outside of the effective address space from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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LLDT- 


- Load Local Descriptor Table Register 


Opcode 

OF 00 12 


Instruction Clocks Description 

LLDl r/m16 20 Load selector r/m 7 6 into LDTR 



Operation 

LDTR ^ SRC; 

Description 

The LLDT instruction loads the Local Descriptor Table register (LDTR). The word 
operand (memory or register) to the LLDT instruction should contain a selector to the 
Global Descriptor Table (GDT). The GDT entry should be a Local Descriptor Table. If 
so, then the LDTR is loaded from the entry. The descriptor registers DS, ES, SS, FS, 
GS, and CS are not affected. The LDT field in the task state segment does not change. 

The selector operand can be 0; if so, the LDTR is marked invalid. All descriptor refer- 
ences (except by the LAR, VERR, VERW or LSL instructions) cause a #GP fault. 

The LLDT instruction is used in operating system software; it is not used in application 
programs. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) if the current privilege level is not 0; #GP(selector) if the selector operand does 
not point into the Global Descriptor Table, or if the entry in the GDT is not a Local 
Descriptor Table; #NP(selector) if the LDT descriptor is not present; #GP(0) for an 
illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) 
for an illegal address in the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 6; the LLDT instruction is not recognized in Real Address Mode 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode (because the instruction is not recognized, it 
will not execute or perform a memory reference) 
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Note 

The operand-size attribute has no effect on this instruction. 
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LMSW-Load Machine Status Word 



Opcode Instruction Clocks Description 

OF 01 /6 LMSW r/m16 11/14 Load r/m16\n machine status word 



Operation 

MSW <- r/m16; (* 16 bits is stored in the machine status word *) 

Description 

The LMSW instruction loads the machine status word (part of the CRO register) from 
the source operand. This instruction can be used to switch to Protected Mode; if so, it 
must be followed by an intrasegment jump to flush the instruction queue. The LMSW 
instruction will not switch back to Real Address Mode. 

The LMSW instruction is used only in operating system software. It is not used in appli- 
cation programs. 

Flags Affected 

None 

Protected IVlode Exceptions 

#GP(0) if the current privilege level is not 0; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 

Notes 

The operand-size attribute has no effect on this instruction. This instruction is provided 
for compatibility with the 80286; 386 DX microprocessor programs should use the MOV 
CRO, ... instruction instead. The LMSW instruction does not affect the PG or ET bits, 
and it cannot be used to clear the PE bit. 
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LOCK -Assert LOCK# Signal Prefix 



Opcode Instruction Clocks Description 

FO LOCK Assert LOCK# signal for the next instruction 



Description 

The LOCK prefix causes the LOCK# signal of the 386 DX microprocessor to be 
asserted during execution of the instruction that follows it. In a multiprocessor environ- 
ment, this signal can be used to ensure that the 386 DX microprocessor has exclusive use 
of any shared memory while LOCK# is asserted. The read-modify-write sequence typi- 
cally used to implement test-and-set on the 386 DX microprocessor is the BTS 
instruction. 

The LOCK prefix functions only with the following instructions: 

BTS, BTR, BTC mem, reg/imm 

XCHG reg, mem 

XCHG mem, reg 

ADD, OR, ADC, SBB, AND, SUB, XOR mem, reg/imm 

NOT, NEG, INC, DEC mem 

An undefined opcode trap will be generated if a LOCK prefix is used with any instruc- 
tion not listed above. 

The XCHG instruction always asserts LOCK# regardless of the presence or absence of 
the LOCK prefix. 

The integrity of the LOCK prefix is not affected by the alignment of the memory field. 
Memory locking is observed for arbitrarily misaligned fields. 

Flags Affected 

None 

Protected iVIode Exceptions 

#UD if the LOCK prefix is used with an instruction not listed in the "Description" 
section above; other exceptions can be generated by the subsequent (locked) instruction 

Real Address Mode Exceptions 

Interrupt 6 if the LOCK prefix is used with an instruction not listed in the "Description" 
section above; exceptions can still be generated by the subsequent (locked) instruction 
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Virtual 8086 Mode Exceptions 

#UD if the LOCK prefix is used with an instruction not Hsted in the "Description" 
section above; exceptions can still be generated by the subsequent (locked) instruction 
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LODS/LODSB/LODSW/LODSD-Load String Operand 



Opcode 


Instruction 


Clocks 


Description 


AC 


LCDS m8 


5 


Load byte [(E)SI] into AL 


AD 


LCDS m16 


5 


Load word [(E)SI] into AX 


AD 


LCDS m32 


5 


Load dword [(E)SI] into EAX 


AC 


LODSB 


5 


Load byte DS:[(E)SI] into AL 


AD 


LODSW 


5 


Load word DS:[(E)SI] into AX 


AD 


LODSD 


5 


Load dword DS:[(E)SI] into EAX 



Operation 



AddressSize = 16 

THEN use SI for source-index 

ELSE (* AddressSize = 32 *) 

use ESI for source-index; 
Fl; 

IF byte type of instruction 
THEN 

AL -e- [source-index]; (* byte load *) 

IF DF = THEN IncDec ^ 1 ELSE IncDec ^ 
ELSE 

IF OperandSize = 16 

THEN 
AX ^ [source-index]; (* word load *) 
IF DF = THEN IncDec ^ 2 ELSE IncDec • 

ELSE (* OperandSize = 32 *) 
EAX «- [source-index]; (* dword load *) 
IF DF = THEN IhcDec <- 4 ELSE IncDec 

Fl; 
Fl; 
source-index <- source-index + IncDec 



■1; Fl; 



-2; Fl; 



-4; Fl; 



Description 

The LODS instruction loads tlie AL, AX, or EAX register with the memory byte, word, 
or doubleword at the location pointed to by the source-index register. After the transfer 
is made, the source-index register is automatically advanced. If the DF flag is (the 
CLD instruction was executed), the source index increments; if the DF flag is 1 (the 
STD instruction was executed), it decrements. The increment or decrement is 1 if a byte 
is loaded, 2 if a word is loaded, or 4 if a doubleword is loaded. 

If the address-size attribute for this instruction is 16 bits, the SI register is used for the 
source-index register; otherwise the address-size attribute is 32 bits, and the ESI register 
is used. The address of the source data is determined solely by the contents of the ESI or 
SI register. Load the correct index value into the SI register before executing the LODS 
instruction. The LODSB, LODSW, and LODSD instructions are synonyms for the byte, 
word, and doubleword LODS instructions. 
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The LODS instruction can be preceded by the REP prefix; however, the LODS instruc- 
tion is used more typically within a LOOP construct, because further processing of the 
data moved into the EAX, AX, or AL register is usually necessary. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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LOOP/LOOPcond-Loop Control with CX Counter 



Opcode 


Instruction 


Clocks 


Description 


E2 cb 


LOOP rel8 


11+m 


DEC count; jump short if count <> 


El cb 


LOOPE reld 


11+Ar7 


DEC count; jump short if count < > and ZF= 1 


E1 cb 


LOOPZ rel8 


11+/77 


DEC count; jump short if count <> and ZF= 1 


EO cb 


LOOPNE rel8 


^^+m 


DEC count; jump short if count < > and ZF = 


EO cb 


LOOPNZ reia 


11+/7? 


DEC count; jump short if count <> and ZF = 



Operation 

IF AddressSize = 16 THEN CountReg is CX ELSE CountReg is ECX; Fl; 
CountReg ^ CountReg - 1; 

IF instruction < > LOOP 
THEN 

IF (instruction = LOOPE) OR (instruction = LOOPZ) 

THEN BranchCond ^ (ZF = 1) AND (CountReg <> 0); 

Fl; 

IF (Instruction = LOOPNE) OR (instruction = LOOPNZ) 

THEN BranchCond ^ (ZF = 0) AND (CountReg < > 0); 

Fl; 
Fl; 

IF BranchCond 
THEN 
IF OperandSize = 16 
THEN 

IP ^ IP + SignExtend(re/S); 
ELSE (* OperandSize = 32 *) 

EIP ^ EIP + SignExtend(re/S); 
Fl; 
Fl; 

Description 

The LOOP instruction decrements the count register without changing any of the flags. 
Conditions are then checked for the form of the LOOP instruction being used. If the 
conditions are met, a short jump is made to the label given by the operand to the LOOP 
instruction. If the address-size attribute is 16 bits, the CX register is used as the count 
register; otherwise the ECX register is used. The operand of the LOOP instruction must 
be in the range from 128 (decimal) bytes before the instruction to 127 bytes ahead of the 
instruction. 

The LOOP instructions provide iteration control and combine loop index management 
with conditional branching. Use the LOOP instruction by loading an unsigned iteration 
count into the count register, then code the LOOP instruction at the end of a series of 
instructions to be iterated. The destination of the LOOP instruction is a label that points 
to the beginning of the iteration. 
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Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) if the offset jumped to is beyond the Hmits of the current code segment 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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LSL — Load Segment Limit 



Opcode Instruction Clocks Description 

OF 03 Ir LSL r16,r/m16 pm = 21/22 Load: r16 <- segment limit, selector r/m16 (byte granular) 

OF 03 /r LSL r32,r/m32 pm = 21/22 Load: r32 ^ segment limit, selector r/m32 (byte granular) 

OF 03 /r LSL r16,r/m16 pm = 25/26 Load: r16 <- segment limit, selector r/m16 (page granular) 

OF 03 /r LSL r32,r/m32 pm = 25/26 Load: r32 *- segment limit, selector r/m32 (page granular) 



Description 

The LSL instruction loads a register with an unscrambled segment limit, and sets the ZF 
flag, provided that the source selector is visible at the current privilege level and RPL, 
and that the descriptor is a type accepted by the LSL instruction. Otherwise, the ZF flag 
is cleared, and the destination register is unchanged. The segment limit is loaded as a 
byte granular value. If the descriptor has a page granular segment limit, the LSL instruc- 
tion will translate it to a byte limit before loading it in the destination register (shift left 
12 the 20-bit "raw" limit from descriptor, then OR with OOOOOFFFH). 

The 32-bit forms of the LSL instruction store the 32-bit byte granular limit in the 16-bit 
destination register. 

Code and data segment descriptors are valid for the LSL instruction. 

The valid special segment and gate descriptor types for the LSL instruction are given in 
the following table: 



Type 


Name 


Valid/Invalid 





Invalid 


Invalid 


1 


Available 80286 TSS 


Valid 


2 


LDT 


Valid 


3 


Busy 80286 TSS 


Valid 


4 


80286 call gate 


Invalid 


5 


80286/386™ DX task gate 


Invalid 


6 


80286 trap gate 


Invalid 


7 


80286 interrupt gate 


Invalid 


8 


Invalid 


Valid 


9 


Available 386 DX TSS 


Valid 


A 


Invalid 


Invalid 


B 


Busy 386 DX TSS 


Valid 


C 


386 DX call gate 


Invalid 


D 


Invalid 


Invalid 


E 


386 DX trap gate 


Invalid 


F 


386 DX interrupt gate 


Invalid 



Flags Affected 

The ZF flag is set unless the selector is invisible or of the wrong type, in which case the 
ZF flag is cleared 
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Protected Mode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 6; the LSL instruction is not recognized in Real Address Mode 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode 
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LTR- 


-Load Task Register 




Opcode 

OF 00 /3 


instruction 

LTR r/m16 


Clocics 

pm= 23/27 


Description 

Load EA word into task register 



Description 

The LTR instruction loads the task register from the source register or memory location 
specified by the operand. The loaded TSS is marked busy. A task switch does not occur. 

The LTR instruction is used only in operating system software; it is not used in applica- 
tion programs. 

Flags Affected 

None 

Protected IVIode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #GP(0) if the current privi- 
lege level is not 0; #GP(selector) if the object named by the source selector is not a TSS 
or is already busy; #NP(selector) if the TSS is marked "not present"; #PF(fault-code) 
for a page fault 

Real Address Mode Exceptions 

Interrupt 6; the LTR instruction is not recognized in Real Address Mode 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode 

Notes 

The operand-size attribute has no effect on this instruction. 
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MOV— Move Data 



Opcode 


Instruction 


Clocks 


Description 


88 Ir 


MOV r/m8,r8 


2/2 


Move byte register to r/m byte 


89 Ir 


MOV r/m16,r16 


2/2 


Move word register to r/m word 


89 Ir 


MOV r/m32,r32 


2/2 


Move dword register to r/m dword 


8A Ir 


MOV r8,r/m8 


2/4 


Move r/m byte to byte register 


8B Ir 


MOV r16,r/m16 


2/4 


Move r/m word to word register 


8B Ir 


MOV r32,r/m32 


2/4 


Move r/m dword to dword register 


8C Ir 


MOV r/m16,Sreg 


2/2 


Move segment register to r/m word 


8E /r 


MOV Sreg,r/m16 


2/5,pm= 18/19 


Move r/m word to segment register 


AO 


hAOy AL,moffs8 


4 


Move byte at {seg:offset} to AL 


A1 


MOV PX,moffs16 


4 


Move word at {seg:offset} to AX 


A1 


MOV EM(.,moffs32 


4 


Move dword at {seg:offset) to EAX 


A2 


MOV moffs8A\- 


2 


Move AL to {seg:offsetj 


A3 


MOV moffsWM 


2 


Move AX to {seg:offset} 


A3 


MOV moffs32,EM(. 


2 


Move EAX to {seg:offset) 


B0+ rb 


MOV reg8,imm8 


2 


Move immediate byte to register 


88+ rw 


MOV reg16,imm16 


2 


Move immediate word to register 


88+ rd 


MOV reg32,imm32 


2 


Move immediate dword to register 


C6 


MOV r/m8,imm8 


2/2 


Move immediate byte to r/m byte 


C7 


MOV r/m16,imm16 


2/2 


Move immediate word to r/m word 


C7 


MOV r/m32,imm32 


2/2 


Move immediate dword to r/m dword 



NOTES: moffs8, moffsW, and moffs32 all consist of a simple offset relative to the segment base. The 8, 16, 
and 32 refer to the size of the data. The address-size attribute of the instruction determines the 
size of the offset, either 16 or 32 bits. 



Operation 

DEST ^ SRC; 



Description 

The MOV instruction copies the second operand to the first operand. 

If the destination operand is a segment register (DS, ES, SS, etc.), then data from a 
descriptor is also loaded into the register. The data for the register is obtained from the 
descriptor table entry for the selector given. A null selector (values 0000-0003) can be 
loaded into the DS and ES registers without causing an exception; however, use of the 
DS or ES register causes a #GP(0) exception, and no memory reference occurs. 

A MOV into SS instruction inhibits all interrupts until after the execution of the next 
instruction (which is presumably a MOV into ESP instruction). 

Loading a segment register under 386 DX Protected Mode results in special checks and 
actions, as described in the following listing: 

IF SS is loaded; 
THEN 

IF selector is null THEN #GP(0); 
Fl; 

Selector index must be within its descriptor table limits else #GP(selector); 

Selector's RPL must equal CPL else #GP(selector); 
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AR byte must indicate a writable data segment else #GP(selector); 

DPL in the AR byte must equal CPL else #GP(selector); 

Segment must be marked present else #SS(selector); 

Load SS with selector; 

Load SS with descriptor. 
Fl; 

IF DS, ES, FS or GS is loaded with non-null selector; 
THEN 

Selector index must be within its descriptor table limits 
else #GP(selector); 

AR byte must indicate data or readable code segment else #GP(selector); 

IF data or nonconforming code segment 

THEN both the RPL and the CPL must be less than or equal to DPL in AR byte; 

ELSE #GP(selector); 

Fl; 

Segment must be marked present else #NP(selector); 

Load segment register with selector; 

Load segment register with descriptor; 
Fl; 

IF DS, ES, FS or GS is loaded with a null selector; 
THEN 

Load segment register with selector; 

Clear descriptor valid bit; 
Fl; 

Flags Affected 

None 

Protected Mode Exceptions 

#GP, #SS, and #NP if a segment register is being loaded; otherwise, #GP(0) if the 
destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective 
address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS 
segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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MOV— Move to/from Special Registers 



Opcode 


Instruction 


Clocks 


Description 


OF 20 Ir 


MOV r32,CR0/CR2/GR3 


6 


Move (control register) to (register) 


OF 22 Ir 


MOV CR0/CR2/CR3,r32 


11/4/5 


Move (register) to (control register) 


0F21 Ir 


MOV r32,DR0 - 3 


22 


Move (debug register) to (register) 


OF 21 Ir 


MOV r32,DR6/DR7 


14 


Move (debug register) to (register) 


OF 23 /r 


MOV DRO - 3,r32 


22 


Move (register) to (debug register) 


OF 23 /r 


MOV DR6/DR7,r32 


16 


Move (register) to (debug register) 


OF 24 /r 


MOV r32,TR6/TR7 


12 


Move (test register) to (register) 


OF 26 /r 


MOV TR6/TR7, r32 


12 


Move (register) to (test register) 



Operation 

DEST^SRC; 

Description 

The above forms of the MOV instruction store or load the following special registers in 
or from a general purpose register: 

• Control registers CRO, CR2, and CR3 

• Debug Registers DRO, DRl, DR2, DR3, DR6, and DRV 

• Test Registers TR6 and TR7 

Thirty-two bit operands are always used with these instructions, regardless of the 
operand-size attribute. 

Flags Affected 

The OF, SF, ZF, AF, PF, and CF flags are undefined 

Protected Mode Exceptions 

#GP(0) if the current privilege level is not 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

#GP(0) if instruction execution is attempted 

Notes 

The instructions must be executed at privilege level or in real-address mode; otherwise, 
a protection exception will be raised. 
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The reg field within the ModR/M byte specifies which of the special registers in each 
category is involved. The two bits in the mod field are always 11. The r/m field specifies 
the general register involved. 
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MOVS/MOVSB/MOVSW/MOVSD-Move Data from String to 

String 



Opcode 


Instruction 


Clocks 


Description 


A4 
A5 
A5 
A4 
A5 
A5 


MOVS m8,m8 
MOVS m16,m16 
MOVS m32,m32 
MOVSB 
MOVSW 
MOVSD 


8 
8 
8 
8 
8 
8 


Move byte [(E)SI] to ES:[(E)DI] 
Move word [(E)SI] to ES:[(E)DI] 
Move dword [(E)SI] to ES:[(E)DI] 
Move byte DS:[{E)SI] to ES:[(E)DI] 
Move word DS:[(E)SI] to ES:[(E)DI] 
Move dword DS:[(E)SI] to ES:[(E)DI] 



Operation 

IF (instruction = iVlOVSD) OR (instruction has doubleword operands) 

THEN OperandSize <- 32; 

ELSE OperandSize ^ 16; 

IF AddressSize = 16 

THEN use SI for source-index and Dl for destination-index; 

ELSE (* AddressSize = 32 *) 

use ESI for source-index and EDI for destination-index; 
Fl; 

IF byte type of instruction 
THEN 

[destination-index] ^ [source-index]; (* byte assignment *) 

IF DF = THEN IncDec <- 1 ELSE IncDec ^ -1; Fl; 
ELSE 

IF OperandSize = 16 

THEN 

[destination-index] ^ [source-index]; (* word assignment *) 
IF DF = THEN IncDec ^ 2 ELSE IncDec ^ -2; Fl; 

ELSE (* OperandSize = 32 *) 
[destination-index] ^ [source-index]; (* doubleword assignment *) 
IF DF = THEN IncDec ^ 4 ELSE IncDec ^ -4; Fl; 

Fl; 
Fl; 

source-index ^ source-index + IncDec; 
destination-index <- destination-index + IncDec; 

Description 

The MOVS instruction copies tlie byte or word at [(E)SI] to the byte or word at ES- 
:[(E)DI]. The destination operand must be addressable from the ES register; no segment 
override is possible for the destination. A segment override can be used for the source 
operand; the default is the DS register. 

The addresses of the source and destination are determined solely by the contents of the 
(E)SI and (E)DI registers. Load the correct index values into the (E)SI and (E)DI 
registers before executing the MOVS instruction. The MOVSB, MOVSW, and MOVSD 
instructions are synonyms for the byte, word, and doubleword MOVS instructions. 
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After the data is moved, both the (E)SI and (E)DI registers are advanced automatically. 
If the DF flag is (the CLD instruction was executed), the registers are incremented; if 
the DF flag is 1 (the STD instruction was executed), the registers are decremented. The 
registers are incremented or decremented by 1 if a byte was moved, 2 if a word was 
moved, or 4 if a doubleword was moved. 

The MOVS instruction can be preceded by the REP prefix for block movement of CX 
bytes or words. Refer to the REP instruction for details of this operation. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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MOVSX-Move with Sign-Extend 



Opcode 

OF BE Ir 
OF BE Ir 
OF BF /r 



Instruction 



Clocks 



MOVSX r16,r/m8 3/6 

MOVSX r32,r/m8 3/6 

MOVSX r32,r/m16 3/6 



Description 

Move byte to word with sign-extend 
Move byte to dword, sign-extend 
Move word to dword, sign-extend 



Operation 

DEST <- SignExtend(SRC); 

Description 

The MOVSX instruction reads the contents of the effective address or register as a byte 
or a word, sign-extends the value to the operand-size attribute of the instruction (16 or 
32 bits), and stores the result in the destination register. 

Flags Affected 

None 

Protected l\/lode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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MOVZX-Move with Zero-Extend 



Opcode 

OF B6 Ir 
OF B6 Ir 
OF B7 Ir 



Instruction 



Clocks 



MOVZX r16,r/m8 3/6 

MOVZX r32,r/m8 3/6 

MOVZX r32,r/m16 3/6 



Description 

Move byte to word with zero-extend 
Move byte to dword, zero-extend 
Move word to dword, zero-extend 



Operation 

DEST ^ ZeroExtend(SRC); 

Description 

The MOVZX instruction reads the contents of the effective address or register as a byte 
or a word, zero extends the value to the operand-size attribute of the instruction (16 or 
32 bits), and stores the result in the destination register. 

Flags Affected 

None 

Protected IVIode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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MUL— Unsigned Multiplication of AL or AX 



Opcode Instruction Clocks Description 

F6 /4 MUL AL,r/m8 9-14/12-17 Unsigned multiply (AX <- AL * r/m byte) 

F7 /4 MUL PX,r/m16 9-22/12-25 Unsigned multiply (DX:AX ^fiX* r/m word) 

F7 /4 MUL EAX,r/jrn32 9-38/1 2-41 Unsigned multiply (EDX:EAX ^ EAX * r/m dword) 



NOTES: The 386 DX uses an early-out nnultiply algorithm. The actual nunnber of clocks depends on the 
position of the most significant bit in the optimizing multiplier. The optimization occurs for positive 
and negative multiplier values. Because of the early-out algorithm, clock counts given are mini- 
mum to maximum. To calculate the actual clocks, use the following formula: 

Actual clock = if m <> then max(ceiling(log2 | m | ), 3) + 6 clocks; 

Actual clock = if m = then 9 clocks 
where m is the multiplier. 



Operation 



IF byte-size operation 

THEN AX ^ AL * r/m8 

ELSE (* word or doubleword operation *) 

IF OperandSize = 16 

THEN DX:AX<-AX*r/rT7 76 

ELSE (* OperandSize = 32 *) 
EDX:EAX ^ EAX * r/m32 

Fl; 
Fl; 



Description 



The MUL instruction performs unsigned multiplication. Its actions depend on the size of 
its operand, as follows: 

• A byte operand is multiplied by the AL value; the result is left in the AX register. 
The CF and OF flags are cleared if the AH value is 0; otherwise, they are set. 

• A word operand is multiplied by the AX value; the result is left in the DX:AX 
register pair. The DX register contains the high-order 16 bits of the product. The CF 
and OF flags are cleared if the DX value is 0; otherwise, they are set. 

• A doubleword operand is multipHed by the EAX value and the result is left in the 
EDX:EAX register. The EDX register contains the high-order 32 bits of the product. 
The CF and OF flags are cleared if the EDX value is 0; otherwise, they are set. 



Flags Affected 

The OF and CF flags are cleared if the upper half of the result is 0; otherwise they are 
set; the SF, ZF, AF, PF, and CF flags are undefined 
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Protected Mode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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NEG— Two's Complement Negation 



Opcode Instruction Clocks Description 

F6 /3 NEG r/m8 2/6 Two's complement negate r/m byte 

F7 3 NEG r/m16 2/6 Two's complement negate r/m word 

F7 /3 NEG r/m32 2/6 Two's complement negate r/m dword 



Operation 

IF r/m = THEN OF 4- O ELSE CF ^ 1 ; Fl; 
r/m< r/m 

Description 

The NEG instruction replaces the value of a register or memory operand with its two's 
complement. The operand is subtracted from zero, and the result is placed in the 
operand. 

The CF flag is set, unless the operand is zero, in which case the CF flag is cleared. 

Flags Affected 

The CF flag is set unless the operand is zero, in which case the CF flag is cleared; the 
OF, SF, ZF, and PF flags are set according to the result 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in real-address mode; #PF(fault-code) for a page fault 
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NOP -No Operation 



Opcode instruction Clocks Description 

90 NOP 3 No operation 



Description 

The NOP instruction performs no operation. The NOP instruction is a one-byte instruc- 
tion that takes up space but affects none of the machine context except the (E)IP 
register. 

The NOP instruction is an aHas mnemonic for the XCHG (E)AX, (E)AX instruction. 

Flags Affected 

None 

Protected Mode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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NOT— One's Complement Negation 



Opcode 

F6 /2 
F7 12 
F7 12 



Instruction 

NOT r/m8 
NOT r/m16 
NOT r/m32 



Clocks 

2/6 
2/6 
2/6 



Description 

Reverse each bit of r/m byte 
Reverse each bit of r/m word 
Reverse each bit of r/m dword 



Operation 

r/m <- NOT r/m; 

Description 

The NOT instruction inverts the operand; every 1 becomes a 0, and vice versa. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in real-address mode; #PF(fault-code) for a page fault 
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OR — Logical Inclusive OR 



Opcode 


instruction 


Ciocits 


Description 


OC ib 


OR AL, immd 


2 


OR immediate byte to AL 


OD iw 


OR AXJmmW 


2 


OR immediate word to AX 


OD id 


OR EAX,imm32 


2 


OR immediate dword to EAX 


80 /1 ib 


OR r/m8,imm8 


2/7 


OR immediate byte to r/m byte 


81 /1 iw 


OR r/m16,imm16 


2/7 


OR immediate word to r/m word 


81 /1 /d 


OR r/m32,imm32 


2/7 


OR immediate dword to r/m dword 


83 /1 //3 


OR r/m16,imm8 


2/7 


OR sign-extended immediate byte with r/m word 


83 /1 ib 


OR r/m32,imm8 


2/7 


OR sign-extended immediate byte witii r/m dword 


08 /r 


OR r/rT75,r8 


2/6 


OR byte register to r/m byte 


09 /r 


OR r/m16,r16 


2/6 


OR word register to r/m word 


09 /r 


OR r/m32,r32 


2/6 


OR dword register to r/m dword 


OA/r 


OR rS,r/r77S 


2/7 


OR byte register to r/m byte 


OB /r 


OR r16,r/m16 


2/7 


OR word register to r/m word 


OB /r 


OR r32,r/m32 


2/7 


OR dword register to r/m dword 



Operation 

DEBT ^ DEST OR SRC; 

CF^O; 

OF^O 



Description 

The OR instruction computes the inclusive OR of its two operands and places the result 
in the first operand. Each bit of the result is if both corresponding bits of the operands 
are 0; otherwise, each bit is 1. 

Flags Affected 

The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the 
result; the AF flag is undefined 

Protected IVIode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in real-address mode; #PF(fault-code) for a page fault 
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OUT-OutputtoPort 



Opcode 


Instruction 


Clocks 


Description 


E6 ib 


OUT imm8,NL 


10,pm = 4*/24** 


Output byte AL to immediate port number 


E7 ib 


OUT immdM 


10,pm = 4*/24** 


Output word AL to immediate port number 


E7 ib 


OUT imm8,EM{ 


10,pm = 4*/24** 


Output dword AL to immediate port number 


EE 


OUT DX,AL 


11,pm = 5*/25** 


Output byte AL to port number in DX 


EF 


OUT DX.AX 


11,pm = 5*/25** 


Output word AL to port number in DX 


EF 


OUT DX.EAX 


11,pm = 5*/25** 


Output dword AL to port number in DX 



NOTES: *lfCPL< lOPL 

**lf CPL > lOPL or if in virtual 8086 nnode 



Operation 

IF (RE = 1) AND ((VM = 1) OR (CRL > lORL)) 

THEN (* Virtual 8086 mode, or protected mode with CRL > 

IF NOT l-0-Rermission (DEST, width(DEST)) 

THEN #GR(0); 

Fl; 
Fl; 
[DEST] ^ SRC; (* I/O address space used *) 



lORL^ 



Description 

The OUT instruction transfers a data byte or data word from the register (AL, AX, or 
EAX) given as the second operand to the output port numbered by the first operand. 
Output to any port from to 65535 is performed by placing the port number in the DX 
register and then using an OUT instruction with the DX register as the first operand. If 
the instruction contains an eight-bit port ID, that value is zero-extended to 16 bits. 

Flags Affected 

None 

Protected IVlode Exceptions 

#GP(0) if the current privilege level is higher (has less privilege) than the I/O privilege 
level and any of the corresponding I/O permission bits in the TSS equals 1 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

#GP(0) fault if any of the corresponding I/O permission bits in the TSS equals 1 
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OUTS/OUTSB/OUTSW/OUTSD- Output String to Port 



Opcode 


Instruction 


Clocks 


Description 


6E 


OUTS DX,r/m8 


14,pm = 8*/28** 


Output byte [(E)SI] to port in DX 


6F 


OUTS DX,r/m16 


14,pm = 8*/28** 


Output word [(E)SI] to port in DX 


6F 


OUTS DX,r/m32 


14,pm = 8*/28** 


Output dword [(E)SI] to port in DX 


6E 


OUTSB 


14,pm = 8*/28** 


Output byte DS:[(E)SI] to port in DX 


6F 


OUTSW 


14,pm = 8*/28** 


Output word DS:I(E)SI] to port in DX 


6F 


OUTSD 


14,pm = 8*/28** 


Output dword DS:[(E)SI] to port in DX 



NOTES: *lf CPL < lOPL 

**lf CPL > lOPL or if in virtual 8086 mode 

Operation 

IF AddressSize = 16 

THEN use SI for source-index; 

ELSE (* AddressSize = 32 *) 

use ESI for source-index; 
Fl; 

IF (PE = 1) AND ((VM = 1) OR (CPL > lOPL)) 

THEN (* Virtual 8086 mode, or protected mode with CPL > lOPL *) 

IF NOT l-0-Permission (DEST, width(DEST)) 

THEN #GP(0); 

Fl; 
Fl; 

IF byte type of instruction 
THEN 

[DX] ^ [source-Index]; (* Write byte at DX I/O address *) 

IF DF = THEN IncDec <- 1 ELSE IncDec ^ -1; Fl; 
FL- 
IP OperandSize = 16 
THEN 

[DX] ^ [source-index]; (* Write word at DX I/O address *) 

IF DF = THEN IncDec <- 2 ELSE IncDec ^ -2; Fl; 

Fl; 

IF OperandSize = 32 

THEN 

[DX] <- [source-index]; (* Write dword at DX I/O address *) 

IF DF = THEN IncDec ^ 4 ELSE IncDec ^ -4; Fl; 

Fl; 
Fl; 
source-Index ^ source-index + IncDec; 

Description 

The OUTS instruction transfers data from the memory byte, word, or doubleword at the 
source-index register to the output port addressed by the DX register. If the address-size 
attribute for this instruction is 16 bits, the SI register is used for the source-index regis- 
ter; otherwise, the address-size attribute is 32 bits, and the ESI register is used for the 
source-index register. 
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The OUTS instruction does not allow specification of the port number as an immediate 
value. The port must be addressed through the DX register value. Load the correct value 
into the DX register before executing the OUTS instruction. 

The address of the source data is determined by the contents of source-index register. 
Load the correct index value into the SI or ESI register before executing the OUTS 
instruction. 

After the transfer, source-index register is advanced automatically. If the DF flag is 
(the CLD instruction was executed), the source-index register is incremented; if the DF 
flag is 1 (the STD instruction was executed), it is decremented. The amount of the 
increment or decrement is 1 if a byte is output, 2 if a word is output, or 4 if a doubleword 
is output. 

The OUTSB, OUTSW, and OUTSD instructions are synonyms for the byte, word, and 
doubleword OUTS instructions. The OUTS instruction can be preceded by the REP 
prefix for block output of CX bytes or words. Refer to the REP instruction for details on 
this operation. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) if the current privilege level is greater than the I/O privilege level and any of the 
corresponding I/O permission bits in TSS equals 1; #GP(0) for an illegal memory oper- 
and effective address in the CS, DS, or ES segments; #SS(0) for an illegal address in the 
SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

#GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1; #PF(fault- 
code) for a page fault 
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POP -Pop a Word from the Stack 



Opcode 


Instruction 


Clocks 


Description 


8F /O 


POP m16 


5 


Pop top of stack into memory word 


8F /O 


POP m32 


5 


Pop top of stack into memory dword 


58+ /w 


POP r16 


4 


Pop top of stack into word register 


58+ rd 


POP r32 


4 


Pop top of stack into dword register 


1F 


POP DS 


7,pm=^2^ 


Pop top of stack into DS 


07 


POPES 


7,pm=21 


Pop top of stack into ES 


17 


POPSS 


7,pm=2^ 


Pop top of stack into SS 


OF A1 


POPFS 


7,pm^2^ 


Pop top of stack into FS 


OF A9 


POPGS 


7,pm=21 


Pop top of stack into GS 



Operation 

IF StackAddrSize = 16 
THEN 
IF OperandSize = 16 
THEN 

DEST ^ (SS:SP); (* copy a word *] 

SP <- SP + 2; 
ELSE (* OperandSize = 32 *) 

DEST <- (SS:SP); (* copy a dword 

SP ^ SP + 4; 
Fl; 



ELSE (* StackAddrSize - 32 * ) 
IF OperandSize = 16 
THEN 

DEST ^ (SS:ESP); (* copy a word *) 

ESP ^ ESP + 2; 
ELSE (* OperandSize - 32 *) 

DEST ^ (SS:ESP); (* copy a dword *) 

ESP ^ ESP + 4; 
Fl; 
Fl; 



Description 

The POP instruction replaces the previous contents of the memory, the register, or the 
segment register operand with the word on the top of the 386 DX microprocessor stack, 
addressed by SS:SP (address-size attribute of 16 bits) or SS:ESP (address-size attribute 
of 32 bits). The stack pointer SP is incremented by 2 for an operand-size of 16 bits or by 
4 for an operand-size of 32 bits. It then points to the new top of stack. 

The POP CS instruction is not a 386 DX microprocessor instruction. Popping from the 
stack into the CS register is accomplished with a RET instruction. 
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If the destination operand is a segment register (DS, ES, FS, GS, or SS), the value 
popped must be a selector. In protected mode, loading the selector initiates automatic 
loading of the descriptor information associated with that selector into the hidden part 
of the segment register; loading also initiates validation of both the selector and the 
descriptor information. 

A null value (0000-0003) may be popped into the DS, ES, FS, or GS register without 
causing a protection exception. An attempt to reference a segment whose corresponding 
segment register is loaded with a null value causes a #GP(0) exception. No memory 
reference occurs. The saved value of the segment register is null. 

A POP SS instruction inhibits all interrupts, including NMI, until after execution of the 
next instruction. This allows sequential execution of POP SS and POP eSP instructions 
without danger of having an invalid stack during an interrupt. However, use of the LSS 
instruction is the preferred method of loading the SS and eSP registers. 

Loading a segment register while in protected mode results in special checks and actions, 
as described in the following listing: 

IF SS is loaded: 
IF selector is null THEN #GP(0); 
Selector index must be within Its descriptor table limits ELSE 

#GP(selector); 
Selector's RPL must equal GPL ELSE #GP (selector); 
AR byte must indicate a writable data segment ELSE #GP(selector); 
DPL in the AR byte must equal GPL ELSE #GP(selector); 
Segment must be marked present ELSE #SS (selector); 
Load SS register with selector; 
Load SS register with descriptor; 

IF DS, ES, FS or GS is loaded with non-null selector: 
AR byte must indicate data or readable code segment ELSE 

#GP(selector); 
IF data or nonconforming code 
THEN both the RPL and the GPL must be less than or equal to DPL in 

AR byte 
ELSE #GP(selector); 
Fl; 

Segment must be marked present ELSE #NP(selector); 
Load segment register with selector; 
Load segment register with descriptor; 

IF DS, ES, FS, or GS is loaded with a null selector: 
Load segment register with selector 
Glear valid bit In invisible portion of register 

Flags Affected 

None 
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Protected Mode Exceptions 

#GP, #SS, and #NP if a segment register is being loaded; #SS(0) if the current top of 
stack is not within the stack segment; #GP(0) if the result is in a nonwritable segment; 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or OS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in real-address mode; #PF(fault-code) for a page fault 
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POPA/POPAD- 


Pop all General Registers 




Opcode 

61 
61 


instruction 

POPA 
POPAD 


Cloclts 

24 
24 


Description 

Pop Dl, SI, BP, SP, BX, DX, CX 
Pop EDI, ESI, EBP, ESP, EDX, 


, and AX 
ECX, and EAX 



Operation 

IF OperandSize = 16 (* instruction = POPA *) 
THEN 

Dl ^PopO; 

SI ^ PopO; 

BP ^ PopO; 

throwaway <- Pop (); (* Skip SP *) 

BX^PopO; 

DX ^ PopO; 

CX ^ PopO; 

AX ^ PopO; 
ELSE (* OperandSize = 32, instruction = POPAD *) 

EDI ^ PopO; 

ESI <- PopO; 

EBP ^ PopO; 

throwaway ^ Pop 0; (* Skip ESP *) 

EBX ^ PopO; 

EDX ^ PopO 

ECX <- PopO 

EAX ^ PopO 
Fl; 



Description 

The POPA instruction pops the eight 16-bit general registers. However, the SP value is 
discarded instead of loaded into the SP register. The POPA instruction reverses a pre- 
vious PUSHA instruction, restoring the general registers to their values before the 
PUSHA instruction was executed. The first register popped is the Dl register. 

The POPAD instruction pops the eight 32-bit general registers. The ESP value is dis- 
carded instead of loaded into the ESP register. The POPAD instruction reverses the 
previous PUSHAD instruction, restoring the general registers to their values before the 
PUSHAD instruction was executed. The first register popped is the EDI register. 



Flags Affected 

None 
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Protected Mode Exceptions 

#SS(0) if the starting or ending stack address is not within the stack segment; 
#PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in real-address mode; #PF(fault-code) for a page fault 
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POPF/POPFD-Pop Stack into FLAGS or EFLAGS Register 



Opcode 

9D 
9D 



Instruction 



POPF 
POPFD 



Clocks 

5 
5 



Description 

Pop top of stack FLAGS 
Pop top of stack into EFLAGS 



Operation 

Flags ^ PopO; 

Description 

The POPF and POPFD instructions pop the word or doubleword on the top of the stack 
and store the value in the flags register. If the operand-size attribute of the instruction is 
16 bits, then a word is popped and the value is stored in the FLAGS register. If the 
operand-size attribute is 32 bits, then a doubleword is popped and the value is stored in 
the EFLAGS register. 

Refer to Chapter 2 and Chapter 4 for information about the FLAGS and EFLAGS 
registers. Note that bits 16 and 17 of the EFLAGS register, called the VM and RF flags, 
respectively, are not affected by the POPF or POPFD instruction. 

The I/O privilege level is altered only when executing at privilege level 0. The interrupt 
flag is altered only when executing at a level at least as privileged as the I/O privilege 
level. (Real-address mode is equivalent to privilege level 0.) If a POPF instruction is 
executed with insufficient privilege, an exception does not occur, but the privileged bits 
do not change. 

Flags Affected 

All flags except the VM and RF flags 

Protected IVIode Exceptions 

#SS(0) if the top of stack is not within the stack segment 

Real Address IVIode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

#GP(0) fault if the I/O privilege level is less than 3, to permit emulation 
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PUSH — Push Operand onto the Stack 



Opcode 


Instruction 


Clocks 


Description 


FF /6 


PUSH m16 


5 


Push memory word 


FF /6 


PUSH m32 


5 


Push memory dword 


50+ Ir 


PUSH r16 


2 


Push register word 


50+ Ir 


PUSH r32 


2 


Push register dword 


6A 


PUSH imm8 


2 


Push immediate byte 


68 


PUSH imm16 


2 


Push immediate word 


68 


PUSH imm32 


2 


Push immediate dword 


OE 


PUSH CS 


2 


Pushes 


16 


PUSH SS 


2 


Push SS 


1E 


PUSH DS 


2 


Push DS 


06 


PUSH ES 


2 


Push ES 


OF AO 


PUSH FS 


2 


Push FS 


OF A8 


PUSH GS 


2 


PushGS 



Operation 

IF StackAddrSize = 16 
THEN 
IF OperandSize = 16 THEN 
SP ^ SP - 2; 

(SS:SP) ^ (SOURCE); (* word assignment *) 
ELSE 
SP ^ SP - 4; 

(SS:SP) ^ (SOURCE); (* dword assignment *) 
Fl; 
ELSE (* StackAddrSize = 32 *) 
IF OperandSize = 16 
THEN 
ESP ^ ESP - 2; 

(SS:ESP) <- (SOURCE); (* word assignment *) 
ELSE 
ESP <- ESP - 4; 

(SS:ESP) ^ (SOURCE); (* dword assignment *; 
Fl; 
Fl; 



Description 

The PUSH instruction decrements the stack pointer by 2 if the operand-size attribute of 
the instruction is 16 bits; otherwise, it decrements the stack pointer by 4. The PUSH 
instruction then places the operand on the new top of stack, which is pointed to by the 
stack pointer. 

The 386 DX microprocessor PUSH ESP instruction pushes the value of the ESP register 
as it existed before the instruction. This differs from the 8086, where the PUSH SP 
instruction pushes the new value (decremented by 2). 
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Flags Affected 

None 

Protected Mode Exceptions 

#SS(0) if the new value of the SP or ESP register is outside the stack segment hmit; 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

None; if the SP or ESP register is 1, the 386 DX microprocessor shuts down due to a 
lack of stack space 

Virtual 8086 Mode Exceptions 

Same exceptions as in real-address mode; #PF(fault-code) for a page fault 
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PUSHA/PUSHAD-Push all General Registers 



Opcode Instruction Clocks Description 

60 PUSHA 18 Push AX, CX, DX, BX, original SP, BP, SI, and Dl 

60 PUSHAD 18 Push EAX, ECX, EDX, EBX, original ESP, EBP, ESI, and EDI 



Operation 

IF OperandSize = 16 (* PUSHA instruction *) 
THEN 

Temp ^ (SP); 

Pusli(AX); 

Pusli(CX); 

Push(DX); 

Push(BX); 

Pusli(Temp); 

Push(BP); 

Push(SI); 

Push(DI); 
ELSE (* OperandSize = 32, PUSHAD instruction 

Temp ^ (ESP); 

Push (EAX); 

Push (ECX); 

Push(EDX); 

Push(EBX); 

Push(Temp); 

Push(EBP); 

Push(ESI); 

Push(EDI); 
Fl; 



Description 

The PUSHA and PUSHAD instructions save the 16-bit or 32-bit general registers, re- 
spectively, on the 386 DX stack. The PUSHA instruction decrements the stack pointer 
(SP) by 16 to hold the eight word values. The PUSHAD instruction decrements the stack 
pointer (ESP) by 32 to hold the eight doubleword values. Because the registers are 
pushed onto the stack in the order in which they were given, they appear in the 16 or 32 
new stack bytes in reverse order. The last register pushed is the DI or EDI register. 



Flags Affected 

None 
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Protected Mode Exceptions 

#SS(0) if the starting or ending stack address is outside the stack segment Hmit; 
#PF(fauh-code) for a page fault 

Real Address Mode Exceptions 

Before executing the PUSHA or PUSHAD instruction, the 386 DX microprocessor 
shuts down if the SP or ESP register equals 1, 3, or 5; if the SP or ESP register equals 7, 
9, 11, 13, or 15, exception 13 occurs 

Virtual 8086 Mode Exceptions 

Same exceptions as in real-address mode; #PF(fault-code) for a page fault 
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PUSHF/PUSHFD-Push Flags Register onto the Stack 



Opcode 

9C 
9C 



Instruction 

PUSHF 
PUSHFD 



Clocks 

4 
4 



Description 

Push FLAGS 
Push EFLAGS 



Operation 

IF OperandSize = 32 
THEN push(EFLAGS); 
ELSE push(FLAGS); 
Fl; 



Description 



The PUSHF instruction decrements the stack pointer by 2 and copies the FLAGS reg- 
ister to the new top of stack; the PUSHFD instruction decrements the stack pointer by 4, 
and the 386 DX microprocessor EFLAGS register is copied to the new top of stack 
which is pointed to by SS:ESP. Refer to Chapter 2 and to Chapter 4 for information on 
the EFLAGS register. 

Flags Affected 

None 

Protected IVIode Exceptions 

#SS(0) if the new value of the ESP register is outside the stack segment boundaries 

Real Address Mode Exceptions 

None; the 386 DX microprocessor shuts down due to a lack of stack space 

Virtual 8086 Mode Exceptions 

#GP(0) fault if the I/O privilege level is less than 3, to permit emulation 
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RCL/RCR/ROL/ROR— Rotate 



Opcode 


Instruction 


Clocks 


Description 


DO 12 


RCL r/m8,^ 


9/10 


Rotate 9 bits (CF,r/m byte) left once 


D2 12 


RCL r/mS.CL 


9/10 


Rotate 9 bits {CF, r/m byte) left CL times 


CO 12 ib 


RCL r/m8,imm8 


9/10 


Rotate 9 bits {CF,r/m byte) left /mmS times 


D1 12 


RCL r/mr6,1 


9/10 


Rotate 17 bits (CF.r/m word) left once 


D3 /2 


RCL r/m16,Cl 


9/10 


Rotate 17 bits {CF, r/m word) left CL times 


C1 /2 ib 


RCL r/m16,imm8 


9/10 


Rotate 17 bits {CF,r/m word) left imm8 times 


D1 /2 


RCL r/m32^ 


9/10 


Rotate 33 bits {CF, r/m dword) left once 


D3 /2 


RCL r/m32,CL 


9/10 


Rotate 33 bits {CF, r/m dword) left CL times 


C1 /2 /t) 


RCL r/m32,imm8 


9/10 


Rotate 33 bits {CF, r/m dword) left /m/773 times 


DO /3 


RCR r/m8,1 


9/10 


Rotate 9 bits (CF.r/m byte) right once 


D2 /3 


RCR r/mS.CL 


9/10 


Rotate 9 bits (CF,r/m byte) right CL times 


CO /3 ib 


RCR r/m8,imm8 


9/10 


Rotate 9 bits {CF,r/m byte) right /mmS times 


D1 /3 


RCR f/m76,1 


9/10 


Rotate 17 bits {CF, r/m word) right once 


D3 /3 


RCR r/m16,CL 


9/10 


Rotate 17 bits (CF,r/m word) right CL times 


C1 /3ib 


RCR r/m16,imm8 


9/10 


Rotate 17 bits (CF,r/mword) right /mmS times 


D1 /3 


RCR r/m32,1 


9/10 


Rotate 33 bits {CF, r/m dword) right once 


D3 /3 


RCR r/m32,CL 


9/10 


Rotate 33 bits {CF, r/m dword) right CL times 


C1 /3 /t) 


RCR r/m32,imm8 


9/10 


Rotate 33 bits (CF,r/m dword) right imm8 times 


DO /O 


ROL r/m8,1 


3/7 


Rotate 8 bits r/m byte left once 


D2 /O 


ROL r/mS.CL 


3/7 


Rotate 8 bits r/m byte left CL times 


CO /O ib 


ROL r/m8,imm8 


3/7 


Rotate 8 bits r/m byte left imm8 times 


D1 /O 


ROL r/rr7)6,1 


3/7 


Rotate 1 6 bits r/m word left once 


D3 /O 


ROL r/m16,CL 


3/7 


Rotate 16 bits r/m word left CL times 


C1 /O //? 


ROL r/m16,imm8 


3/7 


Rotate 16 bits r/m word left imm8 times 


D1 /O 


ROL r/m32,1 


3/7 


Rotate 32 bits r/m dword left once 


D3 /O 


ROL r/m32,CL 


3/7 


Rotate 32 bits r/m dword left CL times 


C1 /0/b 


ROL r/m32,imm8 


3/7 


Rotate 32 bits r/m dword left imm8 times 


DO /1 


ROR r/m8,1 


3/7 


Rotate 8 bits r/m byte right once 


D2 /1 


ROR r//r78,CL 


.3/7 


Rotate 8 bits r/m byte right CL times 


CO /1 ib 


ROR r/m8,imm8 


3/7 


Rotate 8 bits r/m word right immS times 


D1 /1 


ROR r/mt6,1 


3/7 


Rotate 16 bits r/m word right once 


D3 /1 


ROR r/m16,CL 


3/7 


Rotate 1 6 bits r/m word right CL times 


C1 /1 /£) 


ROR r/m16,imm8 


3/7 


Rotate 16 bits r/m word right imm8 times 


D1 /1 


ROR r/rr732,1 


3/7 


Rotate 32 bits r/m dword right once 


D3 /1 


ROR r/m32,CL 


3/7 


Rotate 32 bits r/m dword right CL times 


C1 /I /b 


ROR r/m32,imm8 


3/7 


Rotate 32 bits r/m dword right imm8 times 



Operation 

(* ROL - Rotate Left *) 
temp ^ COUNT; 
WHILE (temp <> 0) 
DO 

tmpcf ^ high-order bit of (r/m); 

r/m ^ r/m * 2 + (tmpcf); 

temp ^ temp - 1 ; 
OD; 

IF COUNT = 1 
THEN 

IF high-order bit of r/m < > CF 

THEN OF ^1; 

ELSE OF ^ 0; 

Fl; 
ELSE OF ^ undefined; 
Fl; 
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(* ROR - Rotate Right *) 
temp ^ COUNT; 
WHILE (temp <> ) 
DO 

tmpcf ^ low-order bit of (r/m)] 

r/m ^ r/m / 2 + (tmpcf * 2^'^'^^^/"^^); 

temp -^ temp - 1 ; 
DO; 

IF COUNT =1 
THEN 

IF (high-order bit of r/m) < > (bit next to high-order bit of r/m) 

THEN OF ^ 1; 

ELSE OF ^0; 

Fl; 
ELSE OF ^ undefined; 
Fl; 

Description 

Each rotate instruction shifts the bits of the register or memory operand given. The left 
rotate instructions shift all the bits upward, except for the top bit, which is returned to 
the bottom. The right rotate instructions do the reverse: the bits shift downward until the 
bottom bit arrives at the top. 

For the RCL and RCR instructions, the CF flag is part of the rotated quantity. The RCL 
instruction shifts the CF flag into the bottom bit and shifts the top bit into the CF flag; 
the RCR instruction shifts the CF flag into the top bit and shifts the bottom bit into the 
CF flag. For the ROL and ROR instructions, the original value of the CF flag is not a 
part of the result, but the CF flag receives a copy of the bit that was shifted from one end 
to the other. 

The rotate is repeated the number of times indicated by the second operand, which is 
either an immediate number or the contents of the CL register. To reduce the maximum 
instruction execution time, the 386 DX microprocessor does not allow rotation counts 
greater than 31. If a rotation count greater than 31 is attempted, only the bottom five 
bits of the rotation are used. The 8086 does not mask rotation counts. The 386 DX 
microprocessor in Virtual 8086 Mode does mask rotation counts. 

The OF flag is defined only for the single-rotate forms of the instructions (second oper- 
and is a 1). It is undefined in all other cases. For left shifts/rotates, the CF bit after the 
shift is XORed with the high-order result bit. For right shifts/rotates, the high-order two 
bits of the result are XORed to get the OF flag. 

Flags Affected 

The OF flag is affected only for single-bit rotates; the OF flag is undefined for multi-bit 
rotates; the CF flag contains the value of the bit shifted into it; the SF, ZF, AF, and PF 
flags are not affected 
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Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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REP/REPE/REPZ/REPNE/REPNZ- Repeat Following String 

Operation 



Opcode 


Instruction 


Clocks 


Description 


F3 6C 


REP INS r/m8, DX 


14 + 6*(E)CX; 

pm = 8 + 6*(E)cX*V 

28 + 6*(E)CX2 


Input (E)CX bytes from port DX into ES:[(E)DI] 


F3 6D 


REP INS r/m16,DX 


14 + 6*(E)CX, 

pm=8 + 6*(E)CX*V 
28 + 6*(E)CX^2 


Input (E)CX words from port DX into ES:[(E)DI] 








F3 6D 


REP INS r/m32,DX 


14 + 6*(E)CX, 

pm = 8 + 6*(E)CX*V 

28 + 6*(E)CX2 


Input (E)CX dwords from pot DX into ES:[(E)DI] 








F3 A4 


REP MOVS m8,m8 


8 + 4*(E)CX 


Move (E)CX bytes from [(E)SI] to ES:[(E)DI] 


F3 A5 


REP MOVS m16,m16 


8 + 4*(E)CX 


Move (E)CX words from [(E)SI] to ES:[(E)DI] 


F3 A5 


REP MOVS m32,m32 


8 + 4*(E)CX 


Move (E)CX dwords from [(E)SI] to ES:[(E)DI] 


F3 6E 


REP OUTS DX,r/m8 


12 + 5*(E)CX, 

pm = 6 + 5*(E)CX*V 

26 + 5*{E)CX^2 


Output (E)CX bytes from [(E)SI] to port DX 








F3 6F 


REP OUTS DX,r/m16 


12 + 5*(E)CX, 

pm = 6 + 5*(E)CX*V 

26 + 5*(E)CX2 


Output (E)CX words from [(E)SI] to port DX 








F3 6F 


REP OUTS DX,r/m32 


12 + 5*(E)CX, 

pm = 6 + 5*(E)CX*V 
26 + 5*(E)CX^2 


Output (E)CX dwords from [(E)SI] to port DX 








F3 AC 


REP LODS m8 


5 + 6*(E)CX 


Load (E)CX bytes from [(E)SI] to AL 


F3 AD 


REP LODS m16 


5 + 6*(E)CX 


Load (E)CX words from [(E)SI] to AX 


F3 AD 


REP LODS Ar732 


5 + 6*(E)CX 


Load (E)CX dwords from [(E)SI] to EAX 


F3 AA 


REP STOS mS 


5 + 5*(E)CX 


Fill (E)CX bytes at ES:[(E)DI] with AL 


F3 AB 


REP STOS ml 6 


5 + 5*(E)CX 


Fill (E)CX words at ES:[(E)DI] with AX 


F3 AB 


REP STOS m32 


5 + 5*(E)CX 


Fill (E)CX dwords at ES:[(E)DI] with EAX 


F3 A6 


REPE CMPS m8,m8 


5 + 9*A/ 


Find nonmatching bytes .in ES:[(E)DI] and [(E)SI] 


F3 A7 


REPE CMPS m16,m16 


5 + 9*A/ 


Find nonmatching words in ES:[(E)DI] and [(E)SI] 


F3 A7 


REPE CMPS m32,m32 


5 + 9*N 


Find nonmatching dwords in ES:[(E)DI] and [(E)SI] 


F3 AE 


REPESCASmS 


5 + 8*N 


Find non-AL byte starting at ES:[(E)DI] 


F3 AF 


REPE SCAS m16 


5 + 8*/V 


Find non-AX word starting at ES:[(E)DI] 


F3 AF 


REPE SCAS m32 


5 + 8* A/ 


Find non-EAX dword starting at ES:[(E)DI] 


F2 A6 


REPNE CMPS m8,m8 


5 + 9*N 


Find matching bytes in ES:[(E)DI] and [(E)SI] 


F2 A7 


REPNE CMPS m16,m16 


5 + 9*N 


Find matching words in ES:[(E)DI] and [(E)SI] 


F2 A7 


REPNE CMPS m32,m32 


5 + 9* N 


Find matching dwords in ES:[(E)DI] and [(E)SI] 


F2 AE 


REPNE SCAS m8 


5 + 8*N 


Find AL, starting at ES:[(E)DI] 


F2 AF 


REPNE SCAS m16 


5 + 8*N 


Find AX, starting at ES:[(E)DI] 


F2 AF 


REPNE SCAS m32 


5 + 8*A/ 


Find EAX, starting at ES:[(E)DI] 



NOTES: *1 If GPL < lOPL 

*2 If CPL > lOPL or if in virtual 8086 mode 

Operation 

IF AddressSize = 16 

THEN use CX for CountReg; 

ELSE (* AddressSize = 32 *) use ECX for CountReg; 

Fl; 

WHILE CountReg <> 

DO 

service pending interrupts (if any); 

perform primitive string instruction; 

CountReg ^ CountReg - 1 ; 

IF primitive operation Is CMPB, CMPW, SCAB, or SCAW 

THEN 
IF (instruction is REP/REPE/REPZ) AND (ZF=1) 
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THEN exit WHILE loop 
ELSE 
IF (instruction is REPNZ or REPNE) AND (ZF = 0) 
THEN exit WHILE loop; 
Fl; 
Fl; 
Fl; 
CD; 

Description 

The REP, REPE (repeat while equal), and REPNE (repeat while not equal) prefixes 
are applied to string operation. Each prefix causes the string instruction that follows to 
be repeated the number of times indicated in the count register or (for the REPE and 
REPNE prefixes) until the indicated condition in the ZF flag is no longer met. 

Synonymous forms of the REPE and REPNE prefixes are the REPZ and REPNZ pre- 
fixes, respectively. 

The REP prefixes apply only to one string instruction at a time. To repeat a block of 
instructions, use the LOOP instruction or another looping construct. 

The precise action for each iteration is as follows: 

1. If the address-size attribute is 16 bits, use the CX register for the count register; if 
the address-size attribute is 32 bits, use the ECX register for the count register. 

2. Check the CX register. If it is zero, exit the iteration, and move to the next 
instruction. 

3. Acknowledge any pending interrupts. 

4. Perform the string operation once. 

5. Decrement the CX or ECX register by one; no flags are modified. 

6. Check the ZF flag if the string operation is a SCAS or CMPS instruction. If the 
repeat condition does not hold, exit the iteration and move to the next instruction. 
Exit the iteration if the prefix is REPE and the ZF flag is (the last comparison was 
not equal), or if the prefix is REPNE and the ZF flag is one (the last comparison 
was equal). 

7. Return to step 1 for the next iteration. 

Repeated CMPS and SCAS instructions can be exited if the count is exhausted or if the 
ZF flag fails the repeat condition. These two cases can be distinguished by using either 
the JCXZ instruction, or by using the conditional jumps that test the ZF flag (the JZ, 
JNZ, and JNE instructions). 

Flags Affected 

The ZF flag is affected by the REP CMPS and REP SCAS as described above 
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Protected Mode Exceptions 

Exceptions can be generated when the string operation is executed; refer to the descrip- 
tions of the string instructions themselves 

Real Address Mode Exceptions 

Exceptions can be generated when the string operation is executed; refer to the descrip- 
tions of the string instructions themselves 

Virtual 8086 Mode Exceptions 

Exceptions can be generated when the string operation is executed; refer to the descrip- 
tions of the string instructions themselves 

Notes 

Not all I/O ports can handle the rate at which the REP INS and REP OUTS instructions 
execute. 

The repeat prefix is ignored when it is used with a non-string instruction. 
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RET — Return from Procedure 



Opcode 


Instruction 


Clocks 


Description 


C3 


RET 


10 + m 


Return (near) to caller 


CB 


RET 


^Q + m,pm=32 + m 


Return (far) to caller, same privilege 


CB 


RET 


pm= 69 


Return (far), lesser privilege, switch stacks 


C2 iw 


RET imm16 


10 + m 


Return (near), pop irnmW bytes of parameters 


CA iw 


RET immW 


^Q + m,pm=32 + m 


Return (far), same privilege, pop imm16 bytes 


CA iw 


RET imm16 


pm = 69 


Return (far), lesser privilege, pop />T7m76 bytes 



Operation 

IF instruction = near RET 
THEN; 
IF OperandSize = 16 
THEN 
IP ^ PopO; 

EIP <- EIP AND GOOOFFFFH; 
ELSE (* OperandSize = 32 *) 

EIP ^ PopO; 
Fl; 

IF instruction has imnnediate operand THEN eSP ^ eSP + imnn16; Fl; 
Fl; 

IF (PE = OR (PE = 1 AND VM = 1)) 
(* real mode or virtual 8086 mode *) 
AND instruction = far RET 
THEN; 
IF OperandSize = 16 
THEN 

IP ^ PopO; 

EIP <- EIP AND OOOOFFFFH; 

CS<- PopO; (* 16-bit pop*) 
ELSE (* OperandSize = 32 *) 

EIP ^ PopO; 

CS ^ PopO; (* 32-bit pop, high-order 16-bits discarded *) 
Fl; 

IF instruction has Immediate operand THEN eSP <- eSP + imm16; Fl; 
Fl; 

IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *) 

AND instruction = far RET 
THEN 

IF OperandSize = 32 

THEN Third word on stack must be within stack limits else #SS(0); 

ELSE Second word on stack must be within stack limits else #SS(0); 

Fl; 

Return selector RPL must be > CPL ELSE #GP(return selector) 

IF return selector RPL = CPL 
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THEN GOTO SAME-LEVEL; 
ELSE GOTO OUTER-PRIVILEGE-LEVEL; 
Fl; 
Fl; 

SAME-LEVEL: 
Return selector must be non-null ELSE #GP(0) 
Selector index must be within its descriptor table limits ELSE 

#GP(selector) 
Descriptor AR byte must indicate code segment ELSE #GP(selector) 
IF non-conforming 

THEN code segment DPL must equal GPL; 
ELSE #GP(selector); 
Fl; 

IF conforming 

THEN code segment DPL must be < GPL; 
ELSE #GP(selector); 
Fl; 

Code segment must be present ELSE #NP(selector); 
Top word on stack must be within stack limits ELSE #SS(0); 
IP must be in code segment limit ELSE #GP(0); 
IF OperandSize = 32 
THEN 

Load GS:EIP from stack 

Load CS register with descriptor 

Increment eSP by 8 plus the immediate offset if it exists 
ELSE (* OperandSize = 16 *) 

Load GS:IP from stack 

Load CS register with descriptor 

Increment eSP by 4 plus the immediate offset if it exists 
Fl; 

OUTER-PRIVILEGE-LEVEL: 
IF OperandSize = 32 
THEN Top (16 + immediate) bytes on stack must be within stack limits 

ELSE #SS(0); 
ELSE Top (8 + immediate) bytes on stack must be within stack limits ELSE 
#SS(0); 

Examine return CS selector and associated descriptor: 
Selector must be non-null ELSE #GP(0); 
Selector index must be within its descriptor table limits ELSE 

#GP(selector) 
Descriptor AR byte must indicate code segment ELSE #GP(selector); 
IF non-conforming 

THEN code segment DPL must equal return selector RPL 
ELSE #GP(selector); 
Fl; 
IF conforming 
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THEN code segment DPL must be < return selector RPL; 
ELSE #GP(selector); 
Fl; 

Segment must be present ELSE #NP(selector) 
Examine return SS selector and associated descriptor: 
Selector must be non-null ELSE #GP(0); 
Selector index must be within its descriptor table limits 

ELSE #GP(selector); 
Selector RPL must equal the RPL of the return OS selector ELSE 

#GP(selector); 
Descriptor AR byte must indicate a writable data segment ELSE 

#GP(selector); 
Descriptor DPL must equal the RPL of the return CS selector ELSE 

#GP(selector); 
Segment must be present ELSE #NP (selector); 
IP must be in code segment limit ELSE #GP(0); 
Set CPL to the RPL of the return OS selector; 
IF OperandMode = 32 
THEN 

Load CS:EIP from stack; 
Set CS RPL to CPL; 

Increment eSP by 8 plus the immediate offset if it exists; 
Load SS:eSP from stack; 
ELSE (* OperandMode = 16 *) 
Load CS:IP from stack; 
Set CS RPL to CPL; 

Increment eSP by 4 plus the immediate offset if it exists; 
Load SS:eSP from stack; 
Fl; 

Load the CS register with the return CS descriptor; 
Load the SS register with the return SS descriptor; 
For each of ES, FS, GS, and DS 
DO 
IF the current register setting is not valid for the outer level, 

set the register to null (selector ^ AR ^ 0); 
To be valid, the register setting must satisfy the following properties: 
Selector index must be within descriptor table limits; 
Descriptor AR byte must indicate data or readable code segment; 
IF segment is data or non-conforming code, THEN 

DPL must be > CPL, or DPL must be > RPL; 
Fl; 
CD; 



Description 

The RET instruction transfers control to a return address located on the stack. The 
address is usually placed on the stack by a CALL instruction, and the return is made to 
the instruction that follows the CALL instruction. 
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The optional numeric parameter to the RET instruction gives the number of stack bytes 
(OperandMode = 16) or words (OperandMode = 32) to be released after the return ad- 
dress is popped. These items are typically used as input parameters to the procedure 
called. 

For the intrasegment (near) return, the address on the stack is a segment offset, which is 
popped into the instruction pointer. The CS register is unchanged. For the intersegment 
(far) return, the address on the stack is a long pointer. The offset is popped first, fol- 
lowed by the selector. 

In real mode, the CS and IP registers are loaded directly. In Protected Mode, an inter- 
segment return causes the processor to check the descriptor addressed by the return 
selector. The AR byte of the descriptor must indicate a code segment of equal or lesser 
privilege (or greater or equal numeric value) than the current privilege level. Returns to 
a lesser privilege level cause the stack to be reloaded from the value saved beyond the 
parameter block. 

The DS, ES, FS, and GS segment registers can be cleared by the RET instruction during 
an interlevel transfer. If these registers refer to segments that cannot be used by the new 
privilege level, they are cleared to prevent unauthorized access from the new privilege 
level. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP, #NP, or #SS, as described under "Operation" above; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would be outside the effective address space from 
to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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SAHF- Store AH into Flags 



Opcode Instruction Clocks Description 

9E SAHF 3 Store AH into flags SF ZF xx AF xx PF xx CF 



Operation 

SF:ZF:xx:AF:xx:PF:xx:CF ^ AH; 

Description 

The SAHF instruction loads the SF, ZF, AF, PF, and CF flags with values from the AH 
register, from bits 7, 6, 4, 2, and 0, respectively. 

Flags Affected 

The SF, ZF, AF, PF, and CF flags are loaded with values form the AH register 

Protected IVIode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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SAL/SAR/SHL/SHR - Shift Instructions 



Opcode 


Instruction 


Clocks 


Description 


DO /4 


SAL //mS,1 


3/7 


Multiply r/m byte by 2, once 


D2 /4 


SAL r/mS.CL 


3/7 


Multiply r/m byte by 2, CL times 


CO /4 ib 


SAL r/m8,imm8 


3/7 


Multiply r/m byte by 2, imm8 times 


D1 /4 


SAL r//7776,1 


3/7 


Multiply r/m word by 2, once 


D3 /4 


SAL r/m 76,CL 


3/7 


Multiply r/m word by 2, CL times 


C1 14 ib 


SAL r/m16,imm8 


3/7 


Multiply r/m word by 2, imm8 times 


D1 /4 


SAL r/m32,1 


3/7 


Multiply r/m dword by 2, once 


D3 /4 


SAL r//7732,CL 


3/7 


Multiply r/m dword by 2, CL times 


C1 /4/b 


SAL r/m32,imm8 


3/7 


Multiply r/m dword by 2, /mmS times 


DO /7 


SAR r/mS.I 


3/7 


Signed divide'' ///r? byte by 2, once 


D2 /7 


SAR r/i778,CL 


3/7 


Signed divide^ r/m byte by 2, CL times 


CO /7 //5 


SAR r/m8,imm8 


3/7 


Signed divide"" r/m byte by 2, /mmS times 


D1 /? 


SAR r/mt6,1 


3/7 


Signed divide^ r/m word by 2, once 


D3 /7 


SAR r/m16,CL 


3/7 


Signed divide^ r/m word by 2, CL times 


C1 /7 //? 


SAR r/m16,imm8 


3/7 


Signed divide^ r/m word by 2, /mmS times 


D1 17 


SAR r/i7732,1 


3/7 


Signed divide"" r/m dword by 2, once 


D3 /7 


SAR r/m32,CL 


3/7 


Signed divide^ r/m dword by 2, CL times 


C1 /7 ib 


SAR r/m32,imm8 


3/7 


Signed divide^ r/m dword by 2, /mm8 times 


DO /4 


SHL r/m5,1 


3/7 


Multiply r/m byte by 2, once 


D2 /4 


SHL r/mS.CL 


3/7 


Multiply r/m byte by 2, CL times 


CO /4 /t> 


SHL r/m8,imm8 


3/7 


Multiply r/m byte by 2, /mmS times 


D1 /4 


SHL r/r77ye,1 


3/7 


Multiply r/m word by 2, once 


D3 /4 


SHLr/m75,CL 


3/7 


Multiply r/m word by 2, CL times 


C1 /4 //? 


SHL r/m16,imm8 


3/7 


Multiply r/m word by 2, /mmS times 


D1 /4 


SHL r/A7752,1 


3/7 


Multiply r/m dword by 2, once 


D3 /4 


SHL r/A7732,CL 


3/7 


Multiply r/m dword by 2, CL times 


C1 /4 /b 


SHL r/m32,imm8 


3/7 


Multiply r/m dword by 2, /mmS times 


DO /5 


SHR //mS.I 


3/7 


Unsigned divide r/m byte by 2, once 


D2 /5 


SHR r/m5,CL 


3/7 


Unsigned divide r/m byte by 2, CL times 


CO /5 /b 


SHR r/m8,imm8 


3/7 


Unsigned divide r/m byte by 2, imm8 times 


D1 /5 


SHR r/my6,1 


3/7 


Unsigned divide r/m word by 2, once 


D3 /5 


SHR r/m16,CL 


3/7 


Unsigned divide r/m word by 2, CL times 


CI /5 ib 


SHR r/m16,imm8 


3/7 


Unsigned divide r/m word by 2, /mm5 times 


D1 /5 


SHR r/m32,1 


3/7 


Unsigned divide r/m dword by 2, once 


D3 /5 


SHR r/m32,CL 


3/7 


Unsigned divide r/m dword by 2, CL times 


C1 /5 ib 


SHR r/m32,imm8 


3/7 


Unsigned divide r/m dword by 2, imm8 times 



Not the same division as IDIV; rounding is toward negative infinity. 

Operation 

(* COUNT is the second parameter *) 
(tennp) <- COUNT; 
WHILE (tennp <> 0) 
DO 

IF instruction is SAL or SHL 

THEN CF ^ high-order bit of r/m; 

Fl; 

IF instruction is SAR or SHR 

THEN CF <- low-order bit of r/m; 

Fl; 

IF instruction = SAL or SHL 

THEN r/m <- r/m * 2; 

Fl; 

IF instruction = SAR 

THEN r/m ^ r/m 12 (*Signed divide, rounding toward negative infinity* 
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Fl; 

IF instruction = SHR 

THEN r/m <- r/m I 2; (* Unsigned divide *); 

Fl; 

temp ^ tenrip - 1 ; 
CD; 

(* Determine overflow for the various instructions *) 
IF COUNT = 1 
THEN 

IF instruction is SAL or SHL 

THEN OF <- high-order bit of r/m < > (CF); 

Fl; 

IF instruction is BAR 

THEN OF ^0; 

Fl; 

IF instruction is SHR 

THEN OF ^ high-order bit of operand; 

Fl; 
ELSE OF ^ undefined; 
Fl; 

Description 

The SAL instruction (or its synonym, SHL) shifts the bits of the operand upward. The 
high-order bit is shifted into the CF flag, and the low-order bit is cleared. 

The SAR and SHR instructions shift the bits of the operand downward. The low-order 
bit is shifted into the CF flag. The effect is to divide the operand by two. The SAR 
instruction performs a signed divide with rounding toward negative infinity (not the 
same as the IDIV instruction); the high-order bit remains the same. The SHR instruc- 
tion performs an unsigned divide; the high-order bit is cleared. 

The shift is repeated the number of times indicated by the second operand, which is 
either an immediate number or the contents of the CL register. To reduce the maximum 
execution time, the 386 DX microprocessor does not allow shift counts greater than 31. 
If a shift count greater than 31 is attempted, only the bottom five bits of the shift count 
are used. (The 8086 uses all eight bits of the shift count.) 

The OF flag is affected only if the single-shift forms of the instructions are used. For left 
shifts, the OF flag is cleared if the high bit of the answer is the same as the result of the 
CF flag (i.e., the top two bits of the original operand were the same); the OF flag is set 
if they are different. For the SAR instruction, the OF flag is cleared for all single shifts. 
For the SHR instruction, the OF flag is set to the high-order bit of the original operand. 

Flags Affected 

The OF flag is affected for single shifts; the OF flag is undefined for multiple shifts; the 
CF, ZF, PF, and SF flags are set according to the result 
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Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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SBB — Integer Subtraction with Borrow 



Opcode 


Instruction 


Clocks 


Description 


1C ib 


SBB AL./VnmS 


2 


Subtract with borrow immediate byte from AL 


1D iw 


SBB AK,imm 16 


2 


Subtract with borrow immediate word from AX 


ID id 


SBB EfiX,imm32 


2 


Subtract with borrow immediate dword from EAX 


80 /3 ib 


SBB r/m8,imm8 


2/7 


Subtract with borrow immediate byte from r/m byte 


81 /3 iw 


SBB r/m16,imm16 


2/7 


Subtract with borrow immediate word from r/m word 


81 13 id 


SBB r/m32,imm32 


2/7 


Subtract with borrow immediate dword from r/m dword 


83 /3 ib 


SBB r/m16,imm8 


2/7 


Subtract with borrow sign-extended immediate byte from r/m word 


83 /3 ib 


SBB r/m32,imm8 


2/7 


Subtract with borrow sign-extended immediate byte from r/m dword 


18 /f 


SBB r//T78,r8 


2/6 


Subtract with borrow byte register from r/m byte 


19 /r 


SBB r/m16,r16 


2/6 


Subtract with borrow word register from r/m word 


19 /r 


SBB r/m32,r32 


2/6 


Subtract with borrow dword register from r/m dword 


1A /r 


SBB r8,r/i7?S 


2/7 


Subtract with borrow byte register from r/m byte 


IB /r 


SBB r16,r/m16 


2/7 


Subtract with borrow word register from r/m word 


IB /r 


SBB r32,r/m32 


2/7 


Subtract with borrow dword register from r/m dword 



Operation 

IF SRC is a byte and DEBT is a word or dword 
THEN DEBT = DEBT - (Sign Extend (SRC) + CF) 
ELBE DEBT ^ DEBT - (SRC + CF); 



Description 

The SBB instruction adds the second operand (SRC) to the CF flag and subtracts the 
resuh from the first operand (DEST). The resuh of the subtraction is assigned to the 
first operand (DEST), and the flags are set accordingly. 

When an immediate byte value is subtracted from a word operand, the immediate value 
is first sign-extended. 

Flags Affected 

The OF, SF, ZF, AF, PF, and CF flags are set according to the result 

Protected IVIode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 
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Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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SCAS/SCASB/SCASW/SCASD- Compare String Data 



Opcode 


Instruction 


Clocks 


Description 


AE 
AF 
AF 
AE 
AF 
AF 


SCAS m8 
SCAS m16 
SCAS m32 
SCASB 
SCASW 
SCASD 


8 
8 
8 
8 
8 
8 


Compare bytes AL-ES:[DI], update (E)DI 
Compare words AX-ES:[DI], update (E)DI 
Compare dwords EAX-ES:[DI], update (E)DI 
Compare bytes AL-ES:[DI], update (E)DI 
Compare words AX-ES:[DI], update (E)DI 
Compare dwords EAX-ES:[DI], update (E)DI 



Operation 

IF AddressSize = 16 
THEN use Dl for dest-index; 

ELSE (* AddressSize = 32 *) use EDI for dest-index; 
Fl; 

IF byte type of instruction 
THEN 
AL - [dest-index]; (* Compare byte in AL and dest *) 
IF DF = THEN IndDec ^ 1 ELSE IncDec ^ -1; Fl; 
ELSE 
IF OperandSize = 16 
THEN 
AX - [dest-index]; (* compare word in AL and dest *) 
IF DF = THEN IncDec ^ 2 ELSE IncDec ^ -2; Fl; 
ELSE (* OperandSize = 32 *) 
EAX - [dest-index] ;(* compare dword in EAX & dest *) 
IF DF = THEN IncDec ^ 4 ELSE IncDec ^ -4; Fl; 
Fl; 
Fl; 
dest-index = dest-index + IncDec 



Description 

The SCAS instruction subtracts the memory byte or word at the destination register 
from the AL, AX or EAX register. The result is discarded; only the flags are set. The 
operand must be addressable from the ES segment; no segment override is possible. 

If the address-size attribute for this instruction is 16 bits, the DI register is used as the 
destination register; otherwise, the address-size attribute is 32 bits and the EDI register 
is used. 

The address of the memory data being compared is determined solely by the contents of 
the destination register, not by the operand to the SCAS instruction. The operand vali- 
dates ES segment addressability and determines the data type. Load the correct index 
value into the DI or EDI register before executing the SCAS instruction. 
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After the comparison is made, the destination register is automatically updated. If the 
direction flag is (the CLD instruction was executed), the destination register is incre- 
mented; if the direction flag is 1 (the STD instruction was executed), it is decremented. 
The increments or decrements are by 1 if bytes are compared, by 2 if words are com- 
pared, or by 4 if doublewords are compared. 

The SCASB, SCASW, and SCASD instructions are synonyms for the byte, word and 
doubleword SCAS instructions that don't require operands. They are simpler to code, 
but provide no type or segment checking. 

The SCAS instruction can be preceded by the REPE or REPNE prefix for a block 
search of CX or ECX bytes or words. Refer to the REP instruction for further details. 

Flags Affected 

The OF, SF, ZF, AF, PF, and CF flags are set according to the result 

Protected Mode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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SETcc-Byte Set on Condition 



Opcode 


Instruction 


Clocks 


Description 


OF 97 


SETA r/m8 


4/5 


Set byte if above (CF = and ZF = 0) 


OF 93 


SETAE r/m8 


4/5 


Set byte if above or equal (CF = 0) 


OF 92 


SETB r/m8 


4/5 


Set byte if below (CF=1) 


OF 96 


SETBE r/mS 


4/5 


Set byte if below or equal (CF = 1 or (ZF = 1 ) 


OF 92 


SETC r/m8 


4/5 


Set if carry (CF = 1) 


OF 94 


SETEr/m8 


4/5 


Setbyteif equal (ZF=1) 


OF 9F 


SETG r/m8 


4/5 


Set byte if greater (ZF = or SF=OF) 


OF 9D 


SETGE r/m8 


4/5 


Set byte if greater or equal (SF = OF) 


OF 9C 


SETL r/m8 


4/5 


Setbyteif less (SFo OF) 


OF 9E 


SETLE r/m8 


4/5 


Set byte if less or equal (ZF = 1 or SF< >0F) 


OF 96 


SEJm r/m8 


4/5 


Setbyteif not above (CF = 1) 


OF 92 


SETNAE r/m8 


4/5 


Set byte If not above or equal (CF = 1 ) 


OF 93 


SETNB r/m8 


4/5 


Set byte if not below (CF = 0) 


OF 97 


SETNBE r/m8 


4/5 


Set byte if not below or equal (CF=0 and ZF = 0) 


OF 93 


SETNC r/m8 


4/5 


Set byte if not carry (CF = 0) 


OF 95 


SETNE r/m8 


4/5 


Set byte if not equal (ZF = 0) 


OF 9E 


SETNG r/m8 


4/5 


Set byte if not greater (ZF=1 or SF< >0F) 


OF 9C 


SETNGE r/m8 


4/5 


Set if not greater or equal (SF < > OF) 


OF 9D 


SETNL r/m8 


4/5 


Set byte if not less (SF = OF) 


OF 9F 


SETNLE r/m8 


4/5 


Set byte if not less or equal (ZF = and SF=OF) 


OF 91 


SETNO r/m8 


4/5 


Set byte if not overflow (OF = 0) 


OF 9B 


SETNP r/m8 


4/5 


Set byte if not parity (PF = 0) 


OF 99 


SETNS r/m8 


4/5. 


Set byte if not sign (SF = 0) 


OF 95 


SETNZ r/m8 


4/5 


Set byte if not zero (ZF = 0) 


OF 90 


SETO r/nn8 


4/5 


Set byte if overflow (OF = 1) 


OF 9A 


SETP r/m8 


4/5 


Setbyteif parity (PF = 1) 


OF 9A 


SETPE r/m8 


4/5 


Set byte if parity even (PF = 1 ) 


OF 9B 


SETPO r/m8 


4/5 


Set byte if parity odd (PF=0) 


OF 98 


SETS r/m8 


4/5 


Set byte if sign (SF = 1) 


OF 94 


St\/. r/m8 


4/5 


Set byte if zero (ZF = 1) 



Operation 

IF condition THEN r/m8 ^ 1 ELSE r/m8 ^ 0; Fl; 

Description 

The SETcc instruction stores a byte at the destination specified by the effective address 
or register if the condition is met, or a byte if the condition is not met. 

Flags Affected 

None 



Protected Mode Exceptions 

#GP(0) if the resuU is in a non-writable segment; #GP(0) for an illegal memory oper- 
and effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 
address in the SS segment; #PF(fault-code) for a page fault 
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Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 IMode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 



17-161 



Intel' 



386™ DX MICROPROCESSOR INSTRUCTION SET 



SGDT/S IDT— Store Global/Interrupt Descriptor Table Register 



Opcode Instruction Clocks Description 

OF 01 /O SGDT m 9 Store GDTR to m 

OF 01 /I SIDT m 9 Store IDTR to m 



Operation 

DEST ^ 48-bit BASE/LIMIT register contents; 

Description 

The SGDT and SIDT instructions copy the contents of the descriptor table register to 
the six bytes of memory indicated by the operand. The LIMIT field of the register is 
assigned to the first word at the effective address. If the operand-size attribute is 32 bits, 
the next three bytes are assigned the BASE field of the register, and the fourth byte is 
written with zero. The last byte is undefined. Otherwise, if the operand-size attribute is 
16 bits, the next four bytes are assigned the 32-bit BASE field of the register. 

The SGDT and SIDT instructions are used only in operating system software; they are 
not used in application programs. 

Flags Affected 

None 

Protected Mode Exceptions 

Interrupt 6 if the destination operand is a register; #GP(0) if the destination is in a 
nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, 
DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault- 
code) for a page fault 



Real Address Mode Exceptions 

Interrupt 6 if the destination operand is a register; Interrupt 13 if any part of the oper- 
and would lie outside of the effective address space from to OFFFFH 



Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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Compatibility Note 

The 16-bit forms of the SGDT and SIDT instructions are compatible with the 80286, if 
the value in the upper eight bits is not referenced. The 80286 stores I's in these upper 
bits, whereas the 386 DX microprocessor stores O's if the operand-size attribute is 16 
bits. These bits were specified as undefined by the SGDT and SIDT instructions in the 
80286 and 80287 Programmer's Reference Manual. 
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SHLD -Double Precision Sliift Left 



Opcode 

OF A4 
OF A4 
OF A5 
OF A5 


Instruction 

SHLD r/m16,r16,imm8 
SHLD r/m32,r32,imm8 
SHLD r/m16,r16,CL 
SHLD r/m32,r32,CL 


Clocks 

3/7 
3/7 
3/7 
3/7 


Description 

r/m16 gets SHL of r/m16 concatenated with r16 
r/m32 gets SHL of r/mS^ concatenated with r32 
r/m16 gets SHL of r/nn16 concatenated with r16 
r/m32 gets SHL of r/m32 concatenated with r32 



Operation 

(* count is an unsigned integer corresponding to the last operand of the instruction, either an 
immediate byte or the byte in register CL *) 
ShiftAmt ^ count l\/IOD 32; 
inBits ^ register; (* Allow overlapped operands *) 
IF ShiftAmt = 
THEN no operation 
ELSE 
IF ShiftAmt > OperandSize 
THEN (* Bad parameters *) 
r/m ^ UNDEFINED; 

CF, OF, SF, ZF, AF, PF ^ UNDEFINED; 
ELSE (* Perform the shift *) 
CF <- BIT[Base, OperandSize - ShiftAmt]; 

(* Last bit shifted out on exit *) 
FOR i ^ OperandSize - 1 DOWNTO ShiftAmt 
DO 

BIT[Base, i] ^ BIT[Base, i - ShiftAmt]; 
OF; 

FOR i ^ ShiftAmt - 1 DOWNTO 
DO 

BIT[Base, i] ^ BIT[inBits, i - ShiftAmt + OperandSize]; 
OD; 
Set SF, ZF, PF (r/m); 

(* SF, ZF, PF are set according to the value of the result *) 
AF <- UNDEFINED; 
Fl; 
Fl; 

Description 

The SHLD instruction shifts the first operand provided by the r/m field to the left as 
many bits as specified by the count operand. The second operand {r16 or r32) provides 
the bits to shift in from the right (starting with bit 0). The result is stored back into the 
r/m operand. The register remains unaltered. 

The count operand is provided by either an immediate byte or the contents of the CL 
register. These operands are taken MODULO 32 to provide a number between and 31 
by which to shift. Because the bits to shift are provided by the specified registers, the 



17-164 



intel' 



386'" DX MICROPROCESSOR INSTRUCTION SET 



operation is useful for multiprecision shifts (64 bits or more). The SF, ZF and PF flags 
are set according to the value of the result. The CF flag is set to the value of the last bit 
shifted out. The OF and AF flags are left undefined. 

Flags Affected 

The SF, ZF, and PF, flags are set according to the result; the CF flag is set to the value 
of the last bit shifted out; after a shift of one bit position, the OF flag is set if a sign 
change occurred, otherwise it is cleared; after a shift of more than one bit position, the 
OF flag is undefined; the AF flag is undefined, except for a shift count of zero, which 
does not affect any flags. 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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SHRD -Double Precision Shift Right 



Opcode 

OF AC 
OF AC 
OF AD 
OF AD 


Instruction 

SHRD r/m16,r16,imm8 
SHRD r/m32,r32,imm8 
SHRD r/m16,r16,CL 
SHRD r/m32,r32,Cl 


Clocks 

3/7 
3/7 
3/7 
3/7 


Description 

r/m16 ge^s SHR of r/m 7 6 concatenated with r16 
r/m32 gets SHR of r/m32 concatenated with r32 
r/m16 gets SHR of r/m 7 6 concatenated with r16 
r/m32 gets SHR of r/m32 concatenated with r32 



Operation 

(* count is an unsigned integer corresponding to the last operand of the instruction, either an 

innmediate byte or the byte in register CL *) 
ShiftAmt ^ count MOD 32; 
inBits ^ register; (* Allow overlapped operands *) 
IF ShiftAmt = 
THEN no operation 
ELSE 
IF ShiftAmt > OperandSize 
THEN (* Bad parameters *) 
r/m ^ UNDEFINED; 

CF, OF, SF, ZF, AF, PF ^ UNDEFINED; 
ELSE (* Perform the shift *) 
OF <- B\J[r/m, ShiftAmt - 1]; (* last bit shifted out on exit *) 
FOR i ^ TO OperandSize - 1 - ShiftAmt 
DO 

B\T[r/m, i] ^ BIT[rM I - ShiftAmt]; 
OD; 

FOR i <- OperandSize - ShiftAmt TO OperandSize -1 
DO 

BlT[r/r77,i] ^ BIT[inBits,i + ShiftAmt - OperandSize]; 
OD; 
Set SF, ZF, PF (r/m)] 

(* SF, ZF, PF are set according to the value of the result *) 
Set SF, ZF, PF (r/m); 
AF ^UNDEFINED; 
Fl; 
Fl; 

Description 

The SHRD instruction shifts the first operand provided by the r/m field to the right as 
many bits as specified by the count operand. The second operand {r16 or r32) provides 
the bits to shift in from the left (starting with bit 31). The result is stored baclc into the 
r/m operand. The register remains unaltered. 

The count operand is provided by either an immediate byte or the contents of the CL 
register. These operands are tal<:en MODULO 32 to provide a number between and 31 
by which to shift. Because the bits to shift are provided by the specified register, the 
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operation is useful for multi-precision shifts (64 bits or more). The SF, ZF and PF flags 
are set according to the value of the result. The CF flag is set to the value of the last bit 
shifted out. The OF and AF flags are left undefined. 

Flags Affected 

The SF, ZF, and PF flags are set according to the result; the CF flag is set to the value 
of the last bit shifted out; after a shift of one bit position, the OF flag is set if a sign 
change occurred, otherwise it is cleared; after a shift of more than one bit position, the 
OF flag is undefined; the AF flag is undefined, except for a shift count of zero, which 
does not affect any flags. 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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SLOT — Store Local Descriptor Table Register 



Opcode Instruction Clocks Description 

OF 00 /O SLOT r/m16 pm=2/2 Store LDTR to EA word 



Operation 

r/m16^LDTR; 

Description 

The SLDT instruction stores the Local Descriptor Table Register (LDTR) in the two- 
byte register or memory location indicated by the effective address operand. This regis- 
ter is a selector that points into the Global Descriptor Table. 

The SLDT instruction is used only in operating system software. It is not used in appli- 
cation programs. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 6; the SLDT instruction is not recognized in Real Address Mode 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 

Notes 

The operand-size attribute has no effect on the operation of the instruction. 



17-168 



int^'°' 386™ DX MICROPROCESSOR INSTRUCTION SET 



SMSW- Store Machine Status Word 



Opcode Instruction Clocks Description 

OF 01 /4 SMSW r/mre 2/3,pm = 2/2 Store machine status word to EA word 



Operation 

r/rr? 76 ^MSW; 

Description 

The SMSW instruction stores the machine status word (part of the CRO register) in the 
two-byte register or memory location indicated by the effective address operand. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address IVIode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 

Notes 

This instruction is provided for compatibility with the 80286; 386 DX microprocessor 
programs should use the MOV ..., CRO instruction. 
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STC- 


- Set Carry Flag 






Opcode 

F9 


Instruction 

STC 


Clocks 

2 


Description 

Set carry flag 



Operation 

CF^1; 

Description 

The STC instruction sets the CF flag. 

Flags Affected 

The CF flag is set 

Protected Mode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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STD-Set Direction Flag 



Opcode 

FD 



Instruction 

STD 



Clocks 

2 



Description 

Set direction flag so (E)SI and/or (E)DI decrement 



Operation 

DF<- 1; 

Description 

The STD instruction sets the direction flag, causing all subsequent string operations to 
decrement the index registers, (E)SI and/or (E)DI, on which they operate. 

Flags Affected 

The DF flag is set 

Protected IVIode Exceptions 

None 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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STI- 


Set 


Interrupt Flag 






Opcode 

F13 




Instruction Clocks 

STI 8 


Description 

Set interrupt flag; interrupts 
of the next instruction 


enabled at the end 



Operation 

IF^ 1 

Description 

The STI instruction sets the IF flag. The 386 DX microprocessor then responds to 
external interrupts after executing the next instruction if the next instruction allows the 
IF flag to remain enabled. If external interrupts are disabled and you code the STI 
instruction followed by the RET instruction (such as at the end of a subroutine), the 
RET instruction is allowed to execute before external interrupts are recognized. Also, if 
external interrupts are disabled and you code the STI instruction followed by the CLI 
instruction, then external interrupts are not recognized because the CLI instruction 
clears the IF flag during its execution. 

Flags Affected 

The IF flag is set 

Protected IVIode Exceptions 

#GP(0) if the current privilege level is greater (has less privilege) than the I/O privilege 
level 

Real Address Mode Exceptions 

None 

Virtual 8086 Mode Exceptions 

None 
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STOS/STOSB/STOSW/STOSD- Store String Data 



Opcode 


Instruction 


Clocks 


Description 


AA 


STOS m8 


5 


Store AL in byte ES:[(E)DI], update (E)DI 


AB 


STOS m16 


5 


Store AX in word ES:[(E)DI], update (E)DI 


AB 


STOS m32 


5 


Store EAX in dword ES:[(E)DI], update (E)DI 


AA 


STOSB 


5 


Store AL in byte ES:[(E)DI], update (E)DI 


AB 


STOSW 


5 


Store AX in word ES:[(E)DI], update (E)DI 


AB 


STOSD 


5 


Store EAX in dword ES:[(E)DI], update (E)DI 



Operation 



IF AddressSize = 16 
THEN use ES:DI for DestReg 
ELSE (* AddressSize = 32 *) 
Fl; 

IF byte type of instruction 
THEN 
(ESiDestReg) ^ AL; 
IF DF = 

THEN DestReg ^ DestReg 
ELSE DestReg ^ DestReg - 
Fl; 
ELSE IF OperandSize = 16 
THEN 
(ES:DestReg) ^ AX; 
IFDF = 

THEN DestReg ^ DestReg 
ELSE DestReg ^ DestReg 
Fl; 
ELSE (* OperandSize = 32 * 
(ES:DestReg) ^ EAX; 
IF DF = 

THEN DestReg ^ DestReg 
ELSE DestReg ^ DestReg 
Fl; 
Fl; 
Fl; 



use ES:EDI for DestReg; 



+ 1; 
- 1; 



+ 2; 
- 2; 



+ 4; 
- 4; 



Description 

The STOS instruction transfers the contents of the AL, AX, or EAX register to the 
memory byte or word given by the destination register relative to the ES segment. The 
destination register is the DI register for an address-size attribute of 16 bits or the EDI 
register for an address-size attribute of 32 bits. 

The destination operand must be addressable from the ES register. A segment override 
is not possible. 
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The address of the destination is determined by the contents of the destination register, 
not by the expHcit operand of the STOS instruction. This operand is used only to vaU- 
date ES segment addressabiUty and to determine the data type. Load the correct index 
value into the destination register before executing the STOS instruction. 

After the transfer is made, the DI register is automatically updated. If the DF flag is 
(the CLD instruction was executed), the DI register is incremented; if the DF flag is 1 
(the STD instruction was executed), the DI register is decremented. The DI register is 
incremented or decremented by 1 if a byte is stored, by 2 if a word is stored, or by 4 if a 
doubleword is stored. 

The STOSB, STOSW, and STOSD instructions are synonyms for the byte, word, and 
doubleword STOS instructions, that do not require an operand. They are simpler to use, 
but provide no type or segment checking. 

The STOS instruction can be preceded by the REP prefix for a block fill of CX or ECX 
bytes, words, or doublewords. Refer to the REP instruction for further details. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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STR- 


-Store Task Register 




Opcode 

OF 00 /1 


Instruction 

STR r/m16 


Clocks 

pm = 23/27 


Description 

Store task register to EA word 



Operation 

r/m <- task register; 

Description 

The contents of the task register are copied to the two-byte register or memory location 
indicated by the effective address operand. 

The STR instruction is used only in operating system software. It is not used in applica- 
tion programs. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 6; the STR instruction is not recognized in Real Address Mode 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode 

Notes 

The operand-size attribute has no effect on this instruction. 
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SUB — Integer Subtraction 



opcode 


Instruction 


Clocks 


Description 


2C ib 


SUB ALJmmS 


2 


Subtract immediate byte from AL 


2D iw 


SUBAX./mmte 


2 


Subtract immediate word from AX 


2D id 


SUB EAX,imm32 


2 


Subtract immediate dword from EAX 


80 /5 ib 


SUB r/m8,imm8 


2/7 


Subtract immediate byte from r/m byte 


81 /5/w 


SUB r/m16,imm16 


2/7 


Subtract immediate word from r/m word 


81 /5 id 


SUB r/m32,imm32 


2/7 


Subtract immediate dword from r/m dword 


83 /5 ib 


SUB r/m16,imm8 


2/7 


Subtract sign-extended immediate byte from r/m word 


83 /5 /t> 


SUB r/m32,imm8 


2/7 


Subtract sign-extended immediate byte from r/m dword 


28 /r 


SUB r/m8,f8 


2/6 


Subtract byte register from r/m byte 


29 /r 


SUB r/m16,r16 


2/6 


Subtract word register from r/m word 


29 /r 


SUB r/m32,r32 


2/6 


Subtract dword register from r/m dword 


2A /r 


SUB rS,r/m8 


2/7 


Subtract r/m byte from byte register 


2B /r 


SUB r16,r/m16 


2/7 


Subtract r/m word from word register 


2B Ir 


SUB r32,r/m32 


2/7 


Subtract r/m dword from dword register 



Operation 

IF SRC is a byte and DEBT is a word or dword 
THEN DEBT = DEBT - BignExtend(BRC); 
ELBE DEBT ^ DEBT - BBC; 
Fl; 



Description 

The SUB instruction subtracts the second operand (SRC) from the first operand 
(DEST). The first operand is assigned the result of the subtraction, and the flags are set 
accordingly. 

When an immediate byte value is subtracted from a word operand, the immediate value 
is first sign-extended to the size of the destination operand. 

Flags Affected 

The OF, SF, ZF, AF, PF, and CF flags are set according to the result 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 
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Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 



17-177 



intel^ 



386 " DX MICROPROCESSOR INSTRUCTION SET 



TEST — Logical Compare 



opcode 


Instruction 


Clocks 


Description 


A8 ib 


TEST ALJmmd 


2 


AND immediate byte with AL 


A9 iw 


TEST fiX,imm16 


2 


AND immediate word with AX 


A9 id 


TEST Efid(.,imm32 


2 


AND immediate dword with EAX 


F6 /O ib 


TEST r/m8,imm8 


2/5 


AND immediate byte with r/m byte 


F7 /O iw 


TEST r/m16,imm16 


2/5 


AND immediate word with r/m word 


F7 /O /d 


TEST r/m32,imm32 


2/5 


AND immediate dword with r/m dword 


84 /r 


TEST r/m8,r8 


2/5 


AND byte register with r/m byte 


85 /r 


TEST r/m16,r16 


2/5 


AND word register with r/m word 


85 /r 


TEST r/m32,r32 


2/5 


AND dword register with r/m dword 



Operation 

DEBT : = LeftSRC AND RightSRC; 

OF ^ 0; 

OF<-0; 



Description 

The TEST instruction computes the bit-wise logical AND of its two operands. Each bit 
of the result is 1 if both of the corresponding bits of the operands are 1; otherwise, each 
bit is 0. The result of the operation is discarded and only the flags are modified. 

Flags Affected 

The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the 
result 

Protected IVIode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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VERR, VERW — Verify a Segment for Reading or Writing 



Opcode Instruction Clocks Description 

OF 00 /4 VERR r/m16 pm = 10/11 Set ZF= 1 if segment can be read, selector in r/m16 

OF 00 /5 VERW r/m16 pnn = 15/16 Set ZF= 1 if segment can be written, selector in r/m16 



Operation 

IF segment with selector at (r/m) is accessible 

with current protection level 

AND ((segment is readable for VERR) OR 
(segment is writable for VERW)) 
THEN ZF ^ 1 ; 
ELSE ZF ^ 0; 
Fl; 



Description 

The two-byte register or memory operand of the VERR and VERW instructions con- 
tains the value of a selector. The VERR and VERW instructions determine v^hether the 
segment denoted by the selector is reachable from the current privilege level and 
w^hether the segment is readable (VERR) or w^ritable (VERW). If the segment is acces- 
sible, the ZF flag is set; if the segment is not accessible, the ZF flag is cleared. To set the 
ZF flag, the foUow^ing conditions must be met: 

• The selector must denote a descriptor within the bounds of the table (GDT or LDT); 
the selector must be "defined." 

« The selector must denote the descriptor of a code or data segment (not that of a task 
state segment, LDT, or a gate). 

o For the VERR instruction, the segment must be readable. For the VERW instruc- 
tion, the segment must be a writable data segment. 

« If the code segment is readable and conforming, the descriptor privilege level (DPL) 
can be any value for the VERR instruction. Otherwise, the DPL must be greater than 
or equal to (have less or the same privilege as) both the current privilege level and the 
selector's RPL. 

The validation performed is the same as if the segment were loaded into the DS, ES, FS, 
or GS register, and the indicated access (read or write) were performed. The ZF flag 
receives the result of the validation. The selector's value cannot result in a protection 
exception, enabling the software to anticipate possible segment access problems. 

Flags Affected 

The ZF flag is set if the segment is accessible, cleared if it is not 
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Protected Mode Exceptions 

Faults generated by illegal addressing of the memory operand that contains the selector; 
the selector is not loaded into any segment register, and no faults attributable to the 
selector operand are generated 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 6; the VERR and VERW instructions are not recognized in Real Address 
Mode 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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WAIT- Wait until BUSY# Pin is Inactive (HIGH) 



Opcode Instruction Clocks Description 

9B WAIT 7 minimum Wait until BUSY pin is inactive (HIGH) 



Description 

The WAIT instruction suspencis execution of the 386 DX microprocessor instructions 
until the BUSY# pin is inactive (high). The BUSY# pin is driven by the 387™ DX 
numeric coprocessor. 

Flags Affected 

None 

Protected IMode Exceptions 

#NM if the task-switched flag in the machine status word (the lower 16 bits of the CRO 
register) is set; #MF if the ERROR# input pin is asserted (i.e., the 387 math coproces- 
sor has detected an unmasked numeric error) 

Real Address Mode Exceptions 

Same exceptions as in Protected Mode 

Virtual 8086 Mode Exceptions 

Same exceptions as in Protected Mode 
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XCHG — Exchange Register/Memory with Register 



Opcode 


Instruction 


Clocks 


Description 


90+ r 


XCHG AX,r16 


3 


Exchange word register with AX 


90+ r 


XCHG rye.AX 


3 


Exchange word register with AX 


90+ r 


XCHG EAX,r32 


3 


Exchange dword register with EAX 


90+ r 


XCHG r32, EAX 


3 


Exchange dword register with EAX 


86 /r 


XCHG r/m8,r8 


3 


Exchange byte register with EA byte 


86 /r 


XCHG r8,r/j778 


3/5 


Exchange byte register with EA byte 


87 /r 


XCHG r/m16,r16 


3 


Exchange word register with EA word 


87 /r 


XCHG r16,r/m16 


3/5 


Exchange word register with EA word 


87 /r 


XCHG r/m32,r32 


3 


Exchange dword register with EA dword 


87 /r 


XCHG r32,r/m32 


3/5 


Exchange dword register with EA dword 



Operation 

temp ^ DEST 
DEST ^ SRC 
SRC ^ temp 

Description 

The XCHG instruction exchanges two operands. The operands can be in either order. If 
a memory operand is involved, the LOCK# signal is asserted for the duration of the 
exchange, regardless of the presence or absence of the LOCK prefix or of the value of 
thelOPL. 

Flags Affected 

None 

Protected l\/lode Exceptions 

#GP(0) if either operand is in a nonwritable segment; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 
address in the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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XLAT/XLATB- 


■Table Look- 


■up 


Translation 




Opcode 

D7 
D7 


Instruction 

XIAT m8 
XLATB 


Clocks 

5 
5 




Description 

Set AL to memory byte DS:[(E)BX + 
Set AL to memory byte DS:[(E)BX + 


unsigned AL] 
unsigned AL] 



Operation 

IF AddressSize = 16 
THEN 

AL ^ (BX + ZeroExtend(AL)) 
ELSE (* AddressSize = 32 *) 

AL^ (EBX + ZeroExtend(AL)); 
Fl; 

Description 

The XLAT instruction changes the AL register from the table index to the table entry. 
The AL register should be the unsigned index into a table addressed by the DS:BX 
register pair (for an address-size attribute of 16 bits) or the DS:EBX register pair (for an 
address-size attribute of 32 bits). 

The operand to the XLAT instruction allows for the possibility of a segment override. 
The XLAT instruction uses the contents of the BX register even if they differ from the 
offset of the operand. The offset of the operand should have been moved into the BX or 
EBX register with a previous instruction. 

The no-operand form, the XLATB instruction, can be used if the BX or EBX table will 
always reside in the DS segment. 

Flags Affected 

None 

Protected Mode Exceptions 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 
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Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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XOR — Logical Exclusive OR 



opcode 


Instruction 


Clocks 


Description 


34 ib 


XOR ALJmmS 


2 


Exclusive-OR immediate byte to AL 


35 iw 


X0RAX,imm16 


2 


Exclusive-OR immediate word to AX 


35 id 


XOR EAK,imm32 


2 


Exclusive-OR immediate dword to EAX 


80 /6 ib 


XOR r/md,imm8 


2/7 


Exclusive-OR immediate byte to r/m byte 


81 /6 iw 


XOR r/m16,imm16 


2/7 


Exclusive-OR immediate word to r/m word 


81 /6id 


XOR r/m32,imm32 


2/7 


Exclusive-OR immediate dword to r/m dword 


83 /6 /fc) 


XOR r/m16,imm8 


2/7 


XOR sign-extended immediate byte with r/m word 


83 /6 /to 


XOR r/m32,imm8 


2/7 


XOR sign-extended immediate byte with r/m dword 


30 fr 


XOR r/mS/S 


2/6 


Exclusive-OR byte register to r/m byte 


31 /r 


XOR r/m16,r16 


2/6 


Exclusive-OR word register to r/m word 


31 /r 


XOR r/m32,r32 


2/6 


Exclusive-OR dword register to r/m dword 


32 /r 


XOR r8,r/m8 


2/7 


Exclusive-OR byte register to r/m byte 


33 /r 


XOR r16,r/m16 


2/7 


Exclusive-OR word register to r/m word 


33 /r 


XOR r32,r/m32 


2/7 


Exclusive-OR dword register to r/m dword 



Operation 

DEBT <- LeftSRC XOR RightSRC 

CF^O 

OF^O 

Description 

The XOR instruction computes the exclusive OR of the two operands. Each bit of the 
result is 1 if the corresponding bits of the operands are different; each bit is if the 
corresponding bits are the same. The answer replaces the first operand. 

Flags Affected 

The CF and OF flags are cleared; the SF, ZF, and PF flags are set according to the 
result; the AF flag is undefined 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GF(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault 

Real Address Mode Exceptions 

Interrupt 13 if any part of the operand would lie outside of the effective address space 
from to OFFFFH 

Virtual 8086 Mode Exceptions 

Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault 
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APPENDIX A 
OPCODE MAP 

The opcode tables that follow aid in interpreting 386™ DX microprocessor object code. 
Use the high-order four bits of the opcode as an index to a row of the opcode table; use 
the low-order four bits as an index to a column of the table. If the opcode is OFH, refer 
to the two-byte opcode table and use the second byte of the opcode to index the rows 
and columns of that table. 



A.1 KEY TO ABBREVIATIONS 

Operands are identified by a two-character code of the form Zz. The first character, an 
uppercase letter, specifies the addressing method; the second character, a lowercase 
letter, specifies the type of operand. 

A.2 CODES FOR ADDRESSING METHOD 

A Direct address; the instruction has no modR/M byte; the address of the operand is 
encoded in the instruction; no base register, index register, or scaling factor can be 
applied; e.g., far JMP (EA). 

C The reg field of the modR/M byte selects a control register; e.g., MOV (0F20, 
0F22). 

D The reg field of the modR/M byte selects a debug register; e.g., MOV (0F21,0F23). 

E A modR/M byte follows the opcode and specifies the operand. The operand is 
either a general register or a memory address. If it is a memory address, the ad- 
dress is computed from a segment register and any of the following values: a base 
register, an index register, a scaling factor, a displacement. 

F Flags Register. 

G The reg field of the modR/M byte selects a general register; e.g., ADD (00). 

I Immediate data. The value of the operand is encoded in subsequent bytes of the 
instruction. 

J The instruction contains a relative offset to be added to the instruction pointer 
register; e.g., JMP short, LOOP. 

M The modR/M byte may refer only to memory; e.g., BOUND, LES, LDS, LSS, LFS, 
LGS. 

O The instruction has no modR/M byte; the offset of the operand is coded as a word 
or double word (depending on address size attribute) in the instruction. No base 
register, index register, or scaling factor can be applied; e.g., MOV (A0-A3). 
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R The mod field of the modR/M byte may refer only to a general register; e.g., MOV 
(0F20-0F24, 0F26). 

S The reg field of the modR/M byte selects a segment register; e.g., MOV (8C,8E). 

T The reg field of the modR/M byte selects a test register; e.g., MOV (0F24,0F26). 

X Memory addressed by the DS:SI register pair; e.g., MOVS, COMPS, OUTS, 
LODS, SCAS. 

Y Memory addressed by the ES:DI register pair; e.g., MOVS, CMPS, INS, STOS. 

A.3 CODES FOR OPERAND TYPE 

a Two one-word operands in memory or two double-word operands in memory, de- 
pending on operand size attribute (used only by BOUND). 

b Byte (regardless of operand size attribute) 

c Byte or word, depending on operand size attribute. 

d Double word (regardless of operand size attribute) 

p Thirty-two bit or 48-bit pointer, depending on operand size attribute. 

s Six-byte pseudo-descriptor 

V Word or double word, depending on operand size attribute, 
w Word (regardless of operand size attribute) 

A.4 REGISTER CODES 

When an operand is a specific register encoded in the opcode, the register is identified 
by its name; e.g., AX, CL, or ESI. The name of the register indicates whether the 
register is 32-, 16-, or 8-bits wide. A register identifier of the form eXX is used when the 
width of the register depends on the operand size attribute; for example, eAX indicates 
that the AX register is used when the operand size attribute is 16 and the EAX register 
is used when the operand size attribute is 32. 
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One-Byte Opcode Map 

2 3 4 



ADD 


PUSH 
ES 


POP 
ES 


Eb,Gb 


Ev,Gv 


Gb,Eb 


Gv,Ev 


ALJb 


eAXJv 


ADC 


PUSH 
SS 


POP 
SS 


Eb,Gb 


Ev,Gv 


Gb,Eb 


Gv.Ev 


ALJb 


eAXJv 


AND 


SEG 
= ES 


DAA 


Eb.Gb 


Ev,Gv 


Gb.Eb 


Gv,Ev 


ALJb 


eAXJv 


XOR 


SEG 
= SS 


AAA 


Eb,Gb 


Ev,Gv 


Gb.Eb 


Gb,Ev 


AL.Ib 


eAXJv 


INC general register 


eAX 


eCX 


eDX 


eBX 


eSP 


eBP 


eSI 


eDI 


PUSH general register 


eAX 


eCX 


eDX 


eBX 


eSP 


eBP 


eSI 


eDI 


PUSHA 


POPA 


BOUND 
Gv,Ma 


ARPL 
Ew.Rw 


SEG 
= FS 


SEG 
= GS 


Operand 
Size 


Address 
Size 


Short-displacement jump on condition (Jb) | 


JO 


JNO 


JB 


JNB 


JZ 


JNZ 


JBE 


JNBE 


Immediate GrpI 


MOVB 


GrpI 
Ev.lb 


TEST 


XCHG 1 


Ebjb 


Ev.lv 


AL,imm8 


Eb,Gb 


Ev.Gv 


Eb.Gb 


Ev,Gv 


NOP 


XCHG word or double-word register with eAX 


eCX 


eDX 


eBX 


eSP 


eBP 


eSI 


eDI 


MOV 


MOVSB 
Xb.Yb 


MOVSW/D 
Xv.Yv 


CMPSB 
Xb.Yb 


CMPSW/D 
Xv.Yv 


AL,Ob 


eAX.Ov 


Ob,AL 


Ov.eAX 


MOV immediate byte into byte register 


AL 


CL 


DL 


BL 


AH 


CH 


DH 


BH 


Shift Grp2 


RET near 


LES 
Gv.Mp 


LDS 
Gv.Mp 


MOV 1 


EbJb 


Ev.lb 


Iw 




EbJb 


Evjv 


Shift Grp2 


AAM 


AAD 




XLAT 


Eb,1 


Ev,1 


Eb.CL 


Ev,CL 


LOOPNE 
Jb 


LOOPE 
Jb 


LOOP 
Jb 


JCXZ 
Jb 


IN 


OUT 1 


Al.lb 


eAXJb 


lb,AL 


Ib.eAX 


LOCK 




REPNE 


REP 
REPE 


HLT 


CMC 


Unary Grp3 


Eb 


Ev 1 
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One-Byte Opcode Map 

B C 



OR 


PUSH 
CS 


2-byte 
escape 


Eb,Gb 


Ev,Gv 


Gb.Eb 


Gv.Ev 


ALJb 


eAXJv 


SBB 


PUSH 
DS 


POP 
DS 


Eb.Gb 


Ev.Gv 


Gb.Eb 


Gv.Ev 


ALJb 


eAXJv 


SUB 


SEG 
= CS 


DAS 


Eb,Gb 


Ev.Gv 


Gb,Eb 


Gv.Ev 


ALJb 


eAXJv 


CMP 


SEG 
= DS 


AAS 


Eb.Gb 


Ev,Gv 


Gb.Eb 


Gv,Ev 


ALJb 


eAXJv 


DEC general register 


eAX 


eCX 


eDX 


eBX 


eSP 


eBP 


eSI 


eDI 


POP into general register 


eAX 


eCX 


eDX 


eBX 


eSP 


eBP 


eSi 


eDI 


PUSH 
Iv 


IMUL 
GvEvIv 


PUSH 
lb 


IMUL 
GvEvlb 


INSB 
Yb.DX 


INSW/D 
Yv,DX 


OUTSB 
DX.Xb 


OUTSW/D 
DX.Xv 


Short-displacennent jump on condition (Jb) 


JS 


JNS 


JP 


JNP 


JL 


JNL 


JLE 


JNLE 


MOV 


MOV 
Ew.Sw 


LEA 
Gv,M 


MOV 
Sw.Ew 


POP 
Ev 


Eb.Gb 


Ev.Gv 


Gb.Eb 


Gv.Ev 


CBW 


CWD 


CALL 
Ap 


WAIT 


PUSHF 
Fv 


POPF 
Fv 


SAHF 


LAHF 


TEST 


STOSB 
Yb.AL 


STOSW/D 
Yv.eAX 


LODSB 
AL,Xb 


LODSW/D 
eAX.Xv 


SCASB 
AL.Xb 


SCASW/D 
eAX.Xv 


ALJb 


eAX.Iv 


MOV immediate word or double into word or double register 


eAX 


eCX 


eDX 


eBX 


eSP 


eBP 


eSI 


eDI 


ENTER 
Iw.lB 


LEAVE 


RET far 


INT 
3 


INT 
lb 


INTO 

■ 
■ 


IRET 


Iw 




ESC (Escape to coprocessor instruction set) 


CALL 
Jv 


JMP 


IN 


OUT 


Jv 


Ap 


Jb 


AL,DX 


eAX.DX 


DX,AL 


DX,eAX 


CLC 


STC 


CLI 


STI 


CLD 


STD 


INC/DEC 
Grp4 


INC/DEC 
Grp5 
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Two-Byte Opcode Map (first byte is OFH) 

1 2 3 4 5 



Grp6 


Grp7 


LAR 
Gv.Ew 


LSL 
Gv,Ew 






CLTS 




















MOV 
Rci,Cd 


MOV 
Rd.Dd 


MOV 
Cd.Rd 


MOV 
Dd,Rd 


MOV 
Rd,Td 




MOV 
Td.Rd 




















































































Long-displacement jump on condition (Jv) 


JO 


JNO 


JB 


JNB 


JZ 


JNZ 


JBE 


JNBE 


Byte Set on condition (Eb) 


SETO 


SETNO 


SETB 


SETNB 


SETZ 


SETNZ 


SETBE 


SETNBE 


PUSH 
FS 


POP 
FS 




BT 
Ev.Gv 


SHLD 
EvGvlb 


SHLD 
EvGvCL 










LSS 
Mp 


BTR 
Ev.Gv 


LPS 
Mp 


LGS 
Mp 


MOVZX 


Gv.Eb 


Gv.Ew 
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Two-Byte Opcode Map (first byte is OFH) 

A B D 



9 
A 
B 
C 
D 
E 



































































































































Long-displacement jump on condition (Jv) 


JS 


JNS 


JP 


JNP 


JL 


JNL 


JLE 


JNLE 


SETS 


SETNS 


SETP 


SETNP 


SETL 


SETNL 


SETLE 


SETNLE 


PUSH 
GS 


POP 
GS 




BTS 
Ev.Gv 


SHRD 
EvGvlb 


SHRD 
EvGvCL 




IMUL 
Gv,Ev 






Grp-8 
Ev.lb 


BTC 
Ev.Gv 


BSF 
Gv.Ev 


BSR 
Gv.Ev 


MOVSX 


Gv.Eb 


Gv.Ew 
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000 



Opcodes determined by bits 5,4,3 of modR/IVi byte: 



mod 


nnn 


R/M 



001 



010 



oil 



100 



101 



110 



Opcodes determined by bits 5,4,3 of modR/IVI byte: 



mod 


nnn 


R/M 



111 



ADD 


OR 


ADC 


SBB 


AND 


SUB 


XOR 


CMP 


ROL 


ROR 


RCL 


RCR 


SHL 


SHR 


SHL 


SAR 


TEST 
Ib/lv 


TEST 
Ib/lv 


NOT 


NEG 


MUL 
AL/eAX 


IMUL 
ALVeAX 


DIV 
AL/eAX 


IDIV 
AL/eAX 


INC 
Eb 


DEC 
Eb 














INC 
Ev 


DEC 
Ev 


CALL 
Ev 


CALL 
eP 


JMP 
Ev 


JMP 
Ep 


PUSH 
Ev 





000 


001 


010 


011 


100 


101 


110 


111 


SLDT 
Ew 


STR 
Ew 


LLDT 
Ew 


LTR 
Ew 


VERR 
Ew 


VERW 
Ew 






SGDT 
Ms 


SIDT 
Ms 


LGDT 
Ms 


LIDT 
Ms 


SMSW 
Ew 




LMSW 
Ew 












BT 


BTS 


BTR 


BTC 
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APPENDIX B 
COMPLETE FLAG CROSS-REFERENCE 



B.1 KEY TO CODES 



T 


= instruction tests flag 


M 


= instruction nnodifies flag (either sets or resets depending on operands) 





= instruction resets flag 


1 


^instruction sets flag 


— 


= instruction's effect on flag is undefined 


R 


= instruction restores prior value of flag 


blank 


= instruction does not affect flag 



Instruction 


OF 


SF 


ZF 


AF 


PF 


CF 


TF 


IF 


DF 


NT 


RF 


AAA 





_ 


_ 


TM 


_ 


M 












AAD 


, — 


M 


M 


— 


M 


— 












AAM 


— 


M 


M 


_ 


M 


_ 












AAS 


— 


— 


— 


TM 


— 


M 












ADC 


M 


M 


M 


M 


M 


TM 












ADD 


M 


M 


M 


M 


M 


M 












AND 





M 


M 


— 


M 















ARPL 






M 


















BOUND 
























BSF/BSR 


— 


— 


M 


— 


— 


— 












BT/BTS/BTR/BTC 


— 


— 


— 


— 


— 


M 












CALL 
























CBW 
























CLC 

























CLD 

























CLI 

























CLTS 
























CMC 












M 












CMP 


M 


M 


M 


M 


M 


M 












CMPS 


M 


M 


M 


M 


M 


M 






T 






CWD 
























DAA 


— 


M 


M 


TM 


M 


TM 












DAS 


— 


M 


M 


TM 


M 


TM 












DEC 


M 


M 


M 


M 


M 














DIV 


— 


— 


_ 


_ 


— 


_ 












ENTER 
























ESC 
























HLT 
























IDIV 


— 


— 


_ 


_ 


— 


__ 












IMUL 


M 


— 


— 


— 


— 


M 












IN 
























INC 


M 


M 


M 


M 


M 














INS 


















T 






INT 


























INTO 


T 
























IRET 


R 


R 


R 


R 


R 


R 


R 


R 


R 


T 




Jcond 


T 


T 


T 




T 


T 
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Instruction 


OF 


SF 


ZF 


AF 


PF 


CF 


IF 


IF 


DF 


NT 


RF 


JCXZ 
























JMP 
























LAHF 
























LAR 






M 


















LDS/LES/LSS/LFS/LGS 
























LEA 
























LEAVE 
























LGDT/LIDT/LLDT/LMSW 
























LOCK 
























LODS 


















T 






LOOP 
























LOOPE/LOOPNE 






T 


















LSL 






M 


















LTR 
























MOV 
























MOV control, debug 


— 


— 


— 


— 


— 


— 












MOVS 


















T 






MOVSX/MOVZX 
























MUL 


M 


— 


— 


— 


_ 


M 












NEG 


M 


M 


M 


M 


M 


M 












NOP 
























NOT 
























OR 





M 


M 


— 


M 















OUT 
























OUTS 


















T 






POP/POPA 
























POPF 


R 


R 


R 


R 


R 


R 


R 


R 


R 


R 




PUSH/PUSHA/PUSHF 
























RCL/ROR 1 


M 










TM 












RCL/RCR count 


— 










TM 












REP/REPE/REPNE 
























RET 
























ROL/ROR 1 


M 










M 












ROL/ROR count 


— 










M 












SAHF 




R 


R 


R 


R 


R 












SALVSAR/SHUSHR 1 


M 


M 


M 


— 


M 


M 












SAUSAR/SHL/SHR 


— 


M 


M 


— 


M 


M 












count 
























SBB 


M 


M 


M 


M 


M 


TM 












SCAS 


M 


M 


M 


M 


M 


M 






T 






SET cond 


T 


T 


T 




T 


T 












SGDT/ 
























SIDT/SLDT/SMSW 
























SHLD/SHRD 


— 


M 


M 


_ 


M 


M 












STC 












1 












STD 


















1 






STI 
















1 








STOS 


















T 






STR 
























SUB 


M 


M 


M 


M 


M 


M 












TEST 





M 


M 


_ 


M 















VERRA/ERRW 






M 


















WAIT 
























XCHG 
























XLAT 
























XOR 





M 


M 


— 


M 
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STATUS FLAG SUMMARY 



C.1 STATUS FLAGS' FUNCTIONS 



Bit 


Name 


Function 





CF 


Carry Flag - Set on high-order bit carry or borrow; cleared otherwise. 


2 


PF 


Parity Flag - Set if low-order eight bits of result contain an even number of 
1 bits; cleared othen/vise. 


4 


AF 


Adjust flag - Set on carry from or borrow to the low order four bits of AL; 
cleared othen/vise. Used for decimal arithmetic. 


6 


ZF 


Zero Flag - Set if result is zero; cleared othen^/lse. 


7 


SF 


Sign Flag - Set equal to high-order bit of result (0 Is positive, 1 if 
negative). 


11 


OF 


Overflow Flag - Set if result is too large a positive number or too small a 
negative number (excluding sign-bit) to fit in destination operand; cleared 
othen/vise. 



0.2 KEY TO CODES 



T 


^Instruction tests flag 


M 


= instruction modifies flag (either sets or resets depending on operands) 





= instruction resets flag 


- 


= instruction's effect on flag is undefined 


blank 


= instruction does not affect flag 
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Instruction 


OF 


SF 


ZF 


AF 


PF 


CF 


AAA 


_ 








TM 


_ 


M 


AAS 


- 


- 


- 


TM 


- 


M 


AAD 





M 


M 


_ 


M 


_ 


AAM 


- 


M 


M 


- 


M 


- 


DAA 





M 


M 


TM 


M 


TM 


DAS 


- 


M 


M 


TM 


M 


TM 


ADC 


M 


M 


M 


M 


M 


TM 


ADD 


M 


M 


M 


M 


M 


M 


SBB 


M 


M 


M 


M 


M 


TM 


SUB 


M 


M 


M 


M 


M 


M 


CMP 


M 


M 


M 


M 


M 


M 


CMPS 


M 


M 


M 


M 


M 


M 


SCAS 


M 


M 


M 


M 


M 


M 


NEG 


M 


M 


M 


M 


M 


M 


DEC 


M 


M 


M 


M 


M 




INC 


M 


M 


M 


M 


M 




IMUL 


M 





_ 


_ 


_ 


M 


MUL 


M 


- 


- 


- 


- 


M 


RCL7RCR 1 


M 










TM 


RCL/RCR count 


— 










TM 


R0L/R0R1 


M 










M 


ROL/ROR count 


— 










M 


SAL/SAR/SHL7SHR 1 


M 


M 


M 


_ 


M 


M 


SAL/SAR/SHL/SHR count 


- 


M 


M 


- 


M 


M 


SHLD/SHRD 





M 


M 


_ 


M 


M 


BSF/BSR 


— 


_ 


M 


_ 








BT/BTS/BTR/BTC 


- 


- 


- 


- 


- 


M 


AND 





M 


M 


_ 


M 





OR 





M 


M 


_ 


M 





TEST 





M 


M 


_ 


M 





XOR 





M 


M 


- 


M 
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APPENDIX D 
CONDITION CODES 

Note: The terms "above" and "below" refer to the relation between two unsigned values 
(neither the SF flag nor the OF flag is tested). The terms "greater" and "less" refer to 
the relation between two signed values (the SF and OF flags are tested). 

D.I DEFINITION OF CONDITIONS 

(For conditional instructions Jcond, and SETcond) 



Mnemonic 


Meaning 


Instruction 

Subcode 

■ 


Condition Tested 





Overflow 


0000 


OF = 1 


NO 


No overflow 


0001 


OF = 


B 
NAE 


Below 

Neither above nor equal 


0010 


CF=1 


NB 
AE 


Not below 
Above or equal 


0011 


OF = 


E 

Z 


Equal 
Zero 


0100 


ZF = 1 


NE 
NZ 


Not equal 
Not zero 


0101 


ZF = 


BE 
NA 


Below or equal 
Not above 


0110 


(OF or ZF) = 1 


NBE 
A 


Neither below nor equal 
Above 


0111 


(OF or ZF) = 


S 


Sign 


1000 


SF = 1 


NS 


No sign 


1001 


SF = 


P 
RE 


Parity 
Parity even 


1010 


PF = 1 


NP 
PO 


No parity 
Parity odd 


1011 


PF = 


L 
NGE 


Less 

Neither greater nor equal 


1100 


(SF xor OF) = 1 


NL 
GE 


Not less 
Greater or equal 


1101 


(SF xor OF) = 


LE 
NG 


Less or equal 
Not greater 


1110 


((SF xor OF) or ZF) = 1 


NLE 
G 


Neither less nor equal 
Greater 


1111 


((SF xor OF) or ZF) = 
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APPENDIX E 
INSTRUCTION FORMAT AND TIMING 

This appendix is an excerpt from Section 6 of the 386 "^'^ DX Microprocessor Data Sheet. 



6. INSTRUCTION SET 

This section describes the 386"" DX Microproces- 
sor instruction set. A table lists all instructions 
along with instruction encoding diagrams and 
clock counts. Further details of the instruction en- 
coding are then provided in the following sections, 
which completely describe the encoding structure 
and the definition of all fields occurring within 
386 DX Microprocessor instructions. 



6.1 386"^ DX MICROPROCESSOR 
INSTRUCTION ENCODING AND 
CLOCK COUNT SUMMARY 

To calculate elapsed time for an instruction, multi- 
ply the instruction clock count, as listed in 
Table 6-1 below, by the processor clock period 
(e.g. 50 ns for a 20 MHz 386 DX Microprocessor, 
40 ns for a 25 MHz 386 DX Microprocessor, and 
30 ns for a 33 MHz 386 DX Microprocessor). 

For more detailed information on the encodings of 
instructions refer to Section 6.2 Instruction Encod- 
ings. Section 6.2 explains the general structure of 
instruction encodings, and defines exactly the 
encodings of ail fields contained within the 
instruction. 



Instruction Clock Count Assumptions 

1. The instruction has been prefetched, 
decoded, and is ready for execution. 

2. Bus cycles do not require wait states. 

3. There are no local bus HOLD requests delay- 
ing processor access to the bus. 

4. No exceptions are detected during instruction 
execution. 

5. If an effective address is calculated, it does 
not use two general register components. 
One register, scaling and displacement can 
be used within the clock counts shown. How- 
ever, if the effective address calculation uses 
two general register components, add 1 clock 
to the clock count shown. 

Instruction Clock Count Notation 

1 . If two clock counts are given, the smaller 
refers to a register operand and the larger 
refers to a memory operand. 

2. n = number of times repeated. 

3. m = number of components in the next 
Instruction executed, where the entire dis- 
placement (if any) counts as one component, 
the entire immediate data (if any) counts as 
one component, and each of the other bytes 
of the instruction and prefix(es) each count as 
one component. 
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Table 6-1. 386 DX''' Microprocessor Instruction Set Clock Count Summary 




INSTRUCTION 


FORMAT 




CLOCK COUNT 


NOTES 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


GENERAL DATA TRANSFER 
MOV = Move: 

Register to Register/Memory 

Register/Memory to Register 

Immediate to Register/Memory 

Immediate to Register (short form) 

Memory to Accumulator (short form) 

Accumulator to Memory (short form) 

Register Memory to Segment Register 

Segmerit Register to Register/ Memory 

MOVSX = Move With Sign Extension 

Register From Register/Memory 

MOVZX = Move With Zero Extension 

Register From Register/Memory 
PUSH = Push: 
Register/ Memory 

Register (short form) 

Segment Register (ES. CS, SS or DS) 

Segment Register (FS or GS) 

Immediate 
PUSHA = Push All 
POP = Pop 

Register/ Memory 

Register (short form) 

Segment Register (ES, SS or DS) 

Segment Register (FS or GS) 

POPA = PopAII 

XCHG = Exchange 

Register/Memory With Register 

Register With Accumulator (short form) 

IN = input from: 

Fixed Port 

Variable Port 

OUT = Output to: 

Fixed Port 

Variable Port 

LEA = Load EA to Register 




immediate data 


2/2 
2/4 
2/2 

2 

4 

2 
2/5 
2/2 

3/6 

3/6 

5 
2 
2 
2 
2 
18 

5 
4 
7 

7 
24 

3/5 
3 

12 
13 

10 
11 
2 


2/2 
2/4 
2/2 

2 

4 

2 
18/19 
2/2 

3/6 

3/6 

5 
2 
2 
2 
2 
18 

5 

4 
21 
21 
24 

3/5 
3 

6V26*' 
7V27«' 

4V24** 

5V25*' 

2 


b 
b 
b 

b 
b 
b 
b 

b 

b 

b 
b 
b 
b 
b 
b 

b 
b 
b 
b 
b 

b,f 


h 
h 
h 

h 

h 

h.i.i 

h 

h 

h 

h 
h 
h 
h 
h 
h 

h 

h 
h,i.j 
h,i.j 

h 

f.h 

m 
m 

m 
m 


1 1 w 1 mod reg r/m 




10001 01 w 1 mod reg r/m 




1 10001 1w ImodOOO r/m 




1011 w reg | immediate data 




1 1 w 1 full displacement 




1 1 1 w 1 full displacement 




10 01110 1 mod sreg3 r/m 




1 1 1 1 mod sreg3 r/m 




00001 111 1 101 1 1 1 1w 


mod reg r/m | 




00001 111 1 101 1 01 1 w 


mod reg r/m | 




Oik Count 

Virtual 
8086 Mode 


11111111 1 mod 1 1 r/m 




01010 reg 1 




sreg2 1 1 | 




00001 111 1 10sreg3000 




onoiOsO [immediate data 




01100000 1 




10 01111 1 mod r/m 




01011 reg 1 




sreg 2 1 1 1 1 




01111 1 1 sreg 3 01 




01100001 1 




1 1 1 w 1 mod reg r/m 




10 010 reg 1 




1 1 1 1 w 1 port number 


t26 
t27 

t24 
t25 


1 1 101 lOw 1 




1 1 1 1 1 w 1 port number 




1 1 1 01 1 1 w 1 






10 01101 1 mod reg r/m 



• If CPL ^ lOPL 



** If CPL > lOPL 
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Table 6-1. 386 DX'' Microprocessor Instruction Set Clock Count Summary (contd.) 




INSTRUCTION 


FORMAT 


CLOCK COUNT 


NOTES 1 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


SEGMENT CONTROL 

LDS = Load Pointer to DS 

LES = Load Pointer to ES 

LFS = Load Pointer to FS 

LGS ^ Load Pointer to GS 

LSS = Load Pointer to SS 

FLAG CONTROL 

CLC = Clear Carry Flag 

CLD = Clear Direction Flag 

CLi = Clear Interrupt Enable Flag 

CLTS = Clear Task Switched Flag 

LAHF = Load AH into Flag 

POPF = Pop Flags 

PUSHF = Push Flags 

SAHF = Store AH into Flags 

STC = Set Carry Flag 

STD = Set Direction Flag 

STI = Set Interrupt Enable Flag 

ARITHMETIC 
ADD = Add 

Register to Register 

Register to Memory 

Memory to Register 

Immediate to Register/Memory 

Immediate to Accumulator (short form) 

ADC = Add With Carry 

Register to Register 

Register to Memory 

Memory to Register 

Immediate to Register/ Memory 

Immediate to Accumulator (short form) 

INC = Increment 

Register/Memory 

Register (short form) 
SUB = Subtract 
Register from Register 




7 
7 
7 
7 
7 

2 
2 
8 
6 
2 
2 
5 
4 
3 
2 
2 
8 

2 

7 
6 
2/7 
2 

2 
7 
6 
2/7 
2 

2/6 
2 

2 


22 
22 
25 
25 
22 

2 
2 
8 
6 
2 
2 
5 
4 
3 
2 
2 
8 

2 

7 
6 
2/7 
2 

2 

7 
6 
2/7 
2 

2/6 
2 

2 


b 
b 
b 
b 
b 

c 

b 
b 

b 
b 
b 

b 
b 
b 

b 


h.i.j 
h.i.j 
h.i.j 
h.i.j 
h.i.j 

m 
1 

h, n 
h 

m 

h 
h 
h 

h 
h 
h 

h 


110 101 1 mod reg r/m | 




110 010 1 mod reg r/m | 




1111 1 1011010 1 mod reg r/m | 




01111 1 10110101 1 mod reg r/m | 




00001111 1 10110010 1 mod reg r/m | 




11111 000 1 




11111100 1 




11111010 1 




00001 1 1 1 1 000001 10 1 




11110101 1 




10011111 1 




1001 1 101 1 




10011100 1 


1001 1 1 1 1 




11111001 1 




11111101 1 




11111011 1 




OOOOOOdw 1 mod reg r/m | 




OOOOOOOw mod reg r/m | 




1 w 1 mod reg r/m | 




1 s w 1 mod r/m | immediate data 




000001 Ow 1 immediate data 




1 d w 1 mod reg r/m | 




1 w 1 mod reg r/m | 




1 1 w 1 mod reg r/m | 




1 s w 1 mod 1 r/m | immediate data 




1 1 w 1 immediate data 




1 1 1 1 1 1 1 w 1 mod r/m 1 




1 reg 1 




1 1 d w 1 mod reg r/m | 
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Table 6-1. 386 DX"" 


Microprocessor Instruction Set Clock Count Summary (contd.) 




INSTRUCTION 


FORMAT 


CLOCK COUNT 


NOTES 1 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


ARITHMETIC (Continued) 

Register from Memory 

Memory from Register 

immediate from Register/Memory 

Immediate from Accumulator (short form) 

SBB = Subtract with Borrow 

Register from Register 

Register from Memory 

Memory from Register 

Immediate from Register/Memory 

Immediate from Accumulator (short form) 

DEC = Decrement 

Register/Memory 

Register (short form) 

CMP = Compare 

Register with Register 

Memory with Register 

Register with Memory 

Immediate with Register/ Memory 

Immediate with Accumulator (short form) 

NEG - Change Sign 

AAA = ASCII Adjust for Add 

AAS = ASCII Adjust for Subtract 

DAA = Decimal Adjust for Add 

DAS = Decimal Adjust for Subtract 

MUL = Multiply (unsigned) 

Accumulator with Register/ Memory 
Multiplier-Byte 
-Word 

-Doubleword 

IMUL = Integer Multiply (signed) 

Accumulator with Register/Memory 

Multiplier-Byte 

-Word 

-Doubleword 

Register with Register/Memory 
Multiplier-Byte 
-Word 
-Doubleword 

Register/ Memory with Immediate to Register 
-Word 
-Doubleword 




7 
6 
2/7 
2 

2 

7 
6 

2/7 
2 

2/6 
2 

2 

5 

6 
2/5 

2 
2/6 

4 

4 

4 

4 

12-17/15-20 
12-25/15-28 
12-41/15-44 

12-17/15-20 
12-25/15-28 
12-41/15-44 

12-17/15-20 
12-25/15-28 
12-41/15-44 

13-26/14-27 
13-42/14-43 


7 
6 
2/7 
2 

2 
7 
6 
2/7 
2 

2/6 
2 

2 

5 

6 
2/5 

2 
2/6 

4 

4 

4 

4 

12-17/15-20 
12-25/15-28 
12-41/15-44 

12-17/15-20 
12-25/15-28 
12-41/15-44 

12-17/15-20 
12-25/15-28 
12-41/15-44 

13-26/14-27 
13-42/14-43 


b 
b 
b 

b 
b 
b 

b 

b 
b 
b 

b 

b.d 
b,d 
b,d 

b.d 
b,d 
b,d 

b.d 
b.d 
b.d 

bd 
b.d 


h 
h 
h 

h 
h 
h 

h 

h 
h 
h 

h 

d.h 
d.h 
d.h 

d.h 
d.h 
d.h 

d.h 
d.h 
d.h 

d.h 
d.h 


001 01 OOw 


mod reg r/m| 


1 00101 01 w 


mod reg r/m| 


1 1 OOOOOsw 


mod 1 1 r/m| immediate data 


00101 1 Ow 


immediate data 




1 0001 lOdw 


mod reg r/m| 






1 0001 1 OOw 


mod reg r/m( 


1 0001 lOlw 


mod reg r/m| 


1 100000SW 


modOII r/m| immediate data 


1 0001 1 lOw 


immediate data 




1 1 1 1 1 1 1 1w 


regOOl r/m| 


|oi001 reg 








1 001 llOdw 


mod reg r/m| 






1 001 1 lOOw 


mod reg r/m| 






1 001 1 lOlw 


mod reg r/m| 






1 lOOOOOsw 


mod 1 1 1 r/m| immediate data 


1 001 1 1 1 Ow 


immediate data 




1 1 1 1 1 01 1 w 


modO 1 1 r/m| 






1 001 101 1 1 


1 00111111 


1 001 00111 




1 00101111 






1 1 1 101 1 w |mod1 r/m| 


1 1 1 1 101 1w ImodlOl r/m| 


[ooOOIIII 1 10101111 |mod reg r/m| 


1 1 1 s 1 1 mod reg r/m| immediate data 
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Table 6-1. 386 DX™ Microprocessor Instruction Set Clock Count Summary (contd.) 



INSTRUCTION 


FORMAT 


CLOCK COUNT 


NOTES 1 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 

Virtual 

Address 

Mode 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


ARITHMETIC (Continued) 
DIV = Divide (Unsigned) 

Accumulator by Register/Memory 

Divisor— Byte 
—Word 
— Doubleword 

IDIV = Integer Divide (Signed) 

Accunnulator By Register/ Memory 

Divisor— Byte 
—Word 
—Doubleword 

AAD = ASCII Adjust for Divide 

AAM = ASCII Adjust for Multiply 

CBW = Convert Byte to Word 

CWD = Convert Word to Double Word 

LOGIC 

Shift Rotate Instructions 
Not Through Carry (ROL, ROR, SAL, SAR 
Register/ Memory by 1 

Register/ Memory by CL 

Register/ Memory by Immediate Count 

Through Carry (RCL and RCR) 

Register/ Memory by 1 

Register/ Memory by CL 

Register/Memory by Immediate Count 

SHLD = Shift Left Double 

Register/ Memory by Immediate 

Register/ Memory by CL 

SHRD = Shift Right Double 

Register/ Memory by Immediate 

Register/ Memory by CL 

AND = And 

Register to Register 




14/17 
22/25 
38/41 

19/22 
27/30 
43/46 

19 

17 

3 

2 

3/7 
3/7 
3/7 

9/10 
9/10 
9/10 

3/7 
3/7 

3/7 
3/7 

2 


14/17 
22/25 
38/41 

19/22 
27/30 
43/46 

19 

17 

3 

2 

3/7 
3/7 
3/7 

9/10 
9/10 
9/10 

3/7 
3/7 

3/7 
3/7 

2 


b.e 
b.e 
b.e 

b.e 
b.e 
b,e 

b 
b 
b 

b 
b 
b 


e.h 
e.h 
e.h 

e.h 
e.h 
e.h 

h 
h 

h 
h 
h 


1 1 1 1 1 1 w (mod 1 1 r/m| 


1 1 1 1 01 1w |mod1 1 1 r/m| 


11010101 1 00001010 1 


11010100 1 00001010 1 


1 001 1 000 1 


1 001 1 001 1 
, SHL, and SHR) 


1 1 01 000 w ImodTTT r/m| 


1 1 01 001 w ImodTTT r/m| 


1 1 w jmod TTT r/mjimmed 8-bit data 


1 1 01 000 w ImodTTT r/m| 


1 101 001 w ImodTTT r/m| 


1 1 w jmod TTT r/m|immed 8-bit data 
TTT Instruction 
00 ROL 
1 ROR 
10 RCL 

1 1 RCR 

1 SHL/SAL 
1 1 SHR 

1 1 1 SAR 


001111 1 10100100 jmod reg r/m|immed 8-bit data 




00001 1 1 1 1 10100101 Imodreg r/m| 




00001111 1 10101100 |mod reg r/m|immed 8-bit data 




00 001 1 1 1 1 1 0101 1 01 Imodreg r/mj 




001 000 dw Imodreg r/m| 
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Table 6-1. 386DX'' 


Microprocessor Instruction Set Clock Count Summary (contd.) 




INSTRUCTION 


FORMAT 




CLOCK COUNT 


NOTES 1 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 

Virtual 

Address 

Mode 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 

Virtual 

Address 

Mode 


LOGIC (Continued) 
Register to Memory 
Memory to Register 
Immediate to Register/ Memory 
Immediate to Accumulator (Short Form) 

TEST = And Function to Flags, No Result 

Register/ Memory and Register 

Immediate Data and Register/Memory 

Immediate Data and Accumulator 
(Short Form) 

0R = Or 

Register to Register 

Register to Memory 

Memory to Register 

Immediate to Register/ Memory 

Immediate to Accumulator (Short Form) 
XOR = Exclusive Or 

Register to Register 

Register to Memory 
Memory to Register 
Immediate to Register/ Memory 
Immediate to Accumulator (Short Form) 

STRING MANIPULATION 

CMPS = Compare Byte Word 

INS = input Byte/Word from DX Port 

LODS = Load Byte/Word to AL/AX/EAX 

MOVS = Move Byte Word 

OUTS = Output Byte/Word to DX Port 

SCAS = Scan Byte Word 

STOS = Store Byte/Word from 
AL/AX/EX 

XLAT = Translate String 

REPEATED STRING MANIPULATION 

Repeated by Count in CX or ECX 

REPECMPS = Compare String 

(Find Non-Match) 




Clk 
Count 
Virtual 

8086 
Mode 


7 
6 
2/7 
2 

2/5 
2/5 

2 

2 
7 
6 
2/7 
2 

2 

7 
6 
2/7 
2 

2/6 

10 
15 
5 
8 
14 
8 

5 
5 

5 + 9n 


7 
6 
2/7 
2 

2/5 
2/5 

2 

2 

7 
6 
2/7 
2 

2 
7 
6 
2/7 
2 

2/6 

10 
9V29** 

5 

8 
8V28** 

8 

5 
5 

5 + 9n 


b 
b 
b 

b 
b 

b 
b 
b 

b 
b 
b 

b 

b 
b 
b 
b 
b 
b 

b 
b 


h 
h 
h 

h 
h 

h 
h 
h 

h 
h 
h 

h 

h 
h, m 

h 

h 
h, m 

h 

h 
h 

h 


1 w 1 mod reg r/m | 




1 1 w 1 mod reg r/m | 




1 w 1 mod 10 r/m| immediate data 




1 1 w 1 immediate data 




1 1 w 1 mod reg r/m | 




1 1 1 1 1 1 w 1 mod r/m| immediate data 




1 1 1 w 1 immediate data 




1 d w 1 mod reg r/m | 




1 w 1 mod reg r/m | 




1 1 w I mod reg r/m | 




1 w 1 mod 1 r/m | immediate data 




1 1 w 1 immediate data 




1 1 d w 1 mod reg r/m | 




1 1 w 1 mod reg r/m | 




1 1 1 w 1 mod reg r/m | 




1000000W |mod110 r/m | immediate data 




1 1 1 w 1 immediate data 




1 1 1 101 1w |mod01 r/m| 




101001 1w 1 




01 1 01 1 Ow 1 1 


t29 






1 01 01 1 Ow 1 




1 01 001 Ow 1 




01 1 01 1 1 w 1 1 


t28 






1 01 01 1 1w 1 




1010101 w 1 




110101111 




11110011 1 101 001 1 w 1 



* If CPL <. lOPL 



If CPL > lOPL 



E-6 



Intel' 



INSTRUCTION FORMAT AND TIMING 



Table 6-1. 386 DX'^ Microprocessor Instruction Set Clock Count Summary (contd.) 




INSTRUCTION 


FORMAT 


CLOCK COUNT 


NOTES 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


REPEATED STRING MANIPULATIC 
REPNE CMPS = Compare String 

(Find Match) 

REP INS = Input String 
REP LCDS == Load String 
REP MOVS = Move String 
REP OUTS = Output String 
REPE SCAS = Scan String 
(Find Non-AL/AX/EAX) 

REPNE SCAS -Scan String 

(Find AL/AX/EAX) 

REP STOS = Store String 
BITMANIPUUVTION 
BSF = Scan Bit Forward 

BT = Test Bit 

Register/Memory, Immediate 

Register/Memory, Register 

BTC = Test Bit and Complement 

Register/Memory, Immediate 

Register/Memory, Register 

BTR = Test Bit and Reset 

Register/Memory, Immediate 

Reglster/IVIemory, Register 
BTS = Test Bit and Set 

Register/Memory. Immediate 

Register/I^emory, Register 

CONTROL TRANSFER 
CALL = Call 

Direct Witiiin Segment 
Register/Memory 

Direct Intersegment 


>H (Continued) 

Clk Count 


5+9n 
14+6n 
5 + 6n 

8 + 4n 
12 + 5n 

5 + 8n 

5 + 8n 
5+5n 

11+3n 

9 + 3n 

3/6 
3/12 

6/8 
6/13 

6/8 
6/13 

6/8 
6/13 

7 + m 

7 + m/ 

10 + m 

17 + m 


5 + 9n 
8 + 6n*/28 + 6n*' 

5 + 6n 

8 + 4n 
6 + 5nV26 + 5n*« 

5+8n 

5 + 8n 
5 + 5n 

11+3n 
9-H3n 

3/6 
3/12 

6/8 
6/13 

6/8 
6/13 

6/8 
6/13 

7 + m 

7 + m/ 
10 + m 

34 + m 


b 
b 
b 
b 
b 

b 

b 
b 

b 
b 

b 
b 

b 
b 

b 
b 

b 
b 

b 
b 


ii 
ii, m 

h 

h 
h>, m 

h 

h 
h 

h 
h 

h 
h 

h 
h 

h 
h 

h 

r 

ii.r 
j.k.r 


1111001o|l010011w| anftfiMftHA 




1111001l|oi10110w| 1 t28 + 6n 




1 1 1 10011 f 10101 lOw 1 




1 1 1 1001 if toiooiow 1 




1111001l|oi10111w| 1 t26 + 5n 




1 1 1 1001 1 1 10101 1 1w 1 




1 1 1 1001 1 1 0101 1 1 w 1 




1 1 1 1001 1 1 1 0101 01 w 1 




00001 1 1 1 1 101 1 1 100 Imodreg r/m| 


01111 10111101 mod reg r/m| 




00001111 1 10111010 |mod 1 00 r/m|immed 8-bit data| 


00001 1 1 1 1 1010001 1 Imodreg r/m| 




00001111 1 10111010 [mod 111 r/m|lmmed 8-bit data] 


00001 1 1 1 1 1 01 1 1 01 1 Imodreg r/m| 




00001111 1 10111010 |mod 1 1 0. r/m|immed 8-bit data| 


00001111 1 10110011 |mod reg r/m| 




00001111 1 10111010 |mod 1 1 r/m|immed 8-bit data| 




00001 1 1 1 1 1 0101 01 1 Imodreg r/m| 




1 1 101000 1 full displacement 




11111111 |mod 1 r/m| 


10 011010 junsigned full offset, selector 



NOTES: 

t Clock count shown applies if I/O permission allows I/O to the porl in virtual 8086 mode. If I/O bit map denies permission 
exception 13 fault occurs; refer to clock counts for INT 3 instruction. 
* If CPL ^ lOPL *• If CPL > lOPL 
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Table 6-1. 386 DX'" Microprocessor Instruction Set Clock Count Summary (contd.) 






CLOCK COUNT 


NOTES 1 


Real 




Real 




INSTRUCTION FORMAT 


Address 


Protected 


Address 






Mode or 


Virtual 


Mode or 


Virtual 




Virtual 


Address 


Virtual 


Address 




8086 


Mode 


8086 


Mode 




Mode 




Mode 




CONTROL TRANSFER (Continued) 










Protected Mode Only (Direct Intersegment) 










Via Call Gate to Same Privilege Level 




52 + m 




h,j.k,r 


Via Call Gate to Different Privilege Level, 










(No Parameters) 




86+ m 




h.j.k.r 


Via Call Gate to Different Privilege Level, 










(X Parameters) 




94+4x+m 




h,j.k,r 


From 80286 Task to 80286 TSS 




273 




h.j.k.r 


From 80286 Task to 386DXtm CPU TSS 




298 




h,j.k,r 


From 80286 Task to Virtual 8086 Task (386DXTM CPU TSS) 




218 




h,j,k,r 


From 386DXTM CPU Task to 80286 TSS 




273 




h,j.k,r 


From 386DXTM CPU Task to 386DXTM CPU TSS 




300 




h,j,k,r 


From 386DXTM CPU Task to Virtual 8086 Task (386DXTM CPU TSS) 


22+ m 


218 
38 + m 


b 


h.j,k,r 
h.j,k,r 


Indirect Intersegment | 1 1 1 1 1 1 1 1 |mod 1 1 r/m| 


Protected Mode Only (Indirect Intersegment) 










Via Call Gate to Same Privilege Level 




56 + m 




h.j,k,r 


Via Call Gate to Different Privilege Level, 










(No Parameters) 




90 + m 




h,j,k,^ 


Via Call Gate to Different Privilege Level, 










(X Parameters) 




98 + 4x+m 




h,i.k,r 


From 80286 Task to 80286 TSS 




278 




h,i,k.r 


From 80286 Task to 386DXTM CPU TSS 




303 




h.j.k.r 


From 80286 Task to Virtual 8086 Task (386DXTM CPU TSS) 




222 




h.i.k.r 


From 386DXTM CPU Task to 80286 TSS 




278 




h,i,k,r 


From 386DXTM CPU Task to 386DXTM CPU TSS 




305 




h.j.k.r 


From 386DXTM CPU Task to Virtual 8086 Task (386DXTM CPU TSS) 




222 




h.j.k.r 


JMP = Unconditional Jump 


7 + m 

7 + m 

74-m/ 
10 + m 

12 + m 


7 + m 

7 + m 

7 + m/ 
10 + m 

27 + m 


b 


r 

r 

h,r 
j.k.r 


Short 1 1 1 1 1 1 1 |8-bit displacement! 


Direct within Segment | 1 1 1 1 1 | full displacement 


Register/Memory Indirect within Segment | 11 1 1 11 1 1 |mod 1 r/m| 


Direct Intersegment | 1 1 1 1 1 [unsigned full offset, selector 


Protected Mode Only (Direct Intersegment) 










Via Call Gate to Same Privilege Level 




45 + m 




h.j.k.r 


From 80286 Task to 80286 TSS 




274 




h.i,k.r 


From 80286 Task to 386DXTM CPU TSS 




301 




h.j.k.r 


From 80286 Task to Virtual 8086 Task (386DXTM CPU TSS) 




219 




h,j,k,r 


From 386DXTM CPU Task to 80286 TSS 




270 




h.j.k,r 


From 386DXTM CPU Task to 386DXtm CPU TSS 




303 




h.j.k,r 


From 386DXTM CPU Task to Virtual 8086 Task (386DXTM CPU TSS) 


17 + m 


221 

31 +m 


b 


h.j.k.r 
h,j.k.r 


Indirect Intersegment | 1 1 1 1 1 1 1 1 |mod 1 1 r/m| 


Protected Mode Only (Indirect Intersegment) 










Via Call Gate to Same Privilege Level 




49 + m 




h.j,k.r 


From 80286 Task to 80286 TSS 




279 




h,j,k.r 


From 80286 Task to 386DXTM CPU TSS 




306 




h,j,k.r 


From 80286 Task to Virtual 8086 Task (386DXTM CPU TSS) 




223 




h.j,k,r 


From 386DXTM CPU Task to 80286 TSS 




275 




h.j,k.r 


From 386DXTM CPU Task to 386DXTM CPU TSS 




308 




h,j,k.r 


From 386DXTM CPU Task to Virtual 8086 Task (386DXtm CPU TSS) 




225 




h.j.k.r 
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Table 6-1. 386 DX™ Microprocessor Instruction Set Clock Count Summary (contd.) 




INSTRUCTION FORMAT 


CLOCK COUNT 


NOTES 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


CONTROL TRANSFER (Continued) 
RET = Return from CALL: 




10 + m 
10 + m 
18 + m 
18 + m 

7 •+■ m or 3 
7 + m or 3 

7 + m or 3 
7 + mor3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + mor3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 


10 + m 
10 + m 
32 + m 
32 + m 

69 
69 

7 -H m or 3 
7 + mor3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 

7 -1- m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 


b 
b 
b 
b 


g. h,r 

g. h,r 

g.h,j.k.r 

g.h,j.k,r 

h, j, k. r 
h. j, k, r 


Wittiin Segment | 110 11 




Within Segment Adding Immediate to SP | 1 1 1 


16-bit displ 1 


Intersegment | 1 1 1 1 1 


Intersegment Adding Immediate to SP | 110 01010 

Protected Mode Only (RET): 
to Different Privilege Level 
Intersegment 
Intersegment Adding Immediate to SP 

CONDITIONAL JUMPS 

NOTE: Times Are Jump "Taken or Not Taken" 
JO = Jump on Overflow 


1 6-bit displ 1 


8-Bit Displacement | 1 1 1 


8-bit displ 1 




Full Displacement | 01111 


10000000 J full displacement 


JNO = Jump on Not Overflow 


B-Bit Displacement | 01110 01 


8-bit displ J 




Full Displacement | 00001 1 1 1 


10000 001 1 full displacement 


JB/JNAE = Jump on Below/Not Above or Equal 


8-Bit Displacement | 01110 010 


8-bit displ 1 






Full Displacement | 00001 1 1 1 


10 010 1 full displacement 


JNB/JAE = Jump on Not Below/ Above or Equal 


8-Bit Displacement | 1110 011 


8-bit displ 1 




Full Displacement | 01111 


10 011 I full displacement 


JE/JZ = Jump on Equal/Zero 


8-Bit Displacement | 01110 10 


8-bit displ 1 


Full Displacement | 1 1 1 1 


10 010 1 full displacement 


JNE/JNZ = Jump on Not Equal/Not Zero 


8-Bit Displacement | 01110101 


8-bit displ 1 




Full Displacement | 1 1 1 1 


10 0101 1 full displacement 


JBE/JNA = Jump on Below or Equal/Not Above 


8-Bit Displacement | 1 1 1 1 1 


8-bit displ I 




Full Displacement | 01111 


10 0110 1 full displacement 


JNBE/JA = Jump on Not Below or Equal/Above 


8-Bit Displacement | 1 1 1 1 1 1 


B-bit displ 1 




Full Displacement | 01111 


100 00111 1 full displacement 


JS =^^ Jump on Sign 


8-Bit Displacement | 011110 


8-bit displ J 




Full Displacement | 1 1 1 1 


10 010 1 full displacement 
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Table 6-1. 386 DX" Microprocessor Instruction Set Clock Count Summary (contd.) 




INSTRUCTION FORMAT 


CLOCK COUNT 


NOTES 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


CONDITIONAL JUMPS (Continued) 
JNS = Jump on Not Sign 


7 + m or 3 
7 -1- m or 3 

7 + m or 3 
7 -h m or 3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 -1- m or 3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 
9 + m or 5 
9 + m or 5 

11 + m 
11 + m 
11 + m 

4/5 
4/5 
4/5 


7 + m or 3 
7 + m or 3 

7 + m or 3 
7 -1- m or 3 

7 + m or 3 
7 + m or 3 

7 -1- m or 3 
7 + m or 3 

7 + m or 3 
7 + m or 3 

7 + mors 
7 -I- m or 3 

7 + m or 3 
7 + m or 3 
9 + m or 5 
9 -f- m or 5 

11 + m 
11 + m 
11 + m 

4/5 
4/5 
4/5 




h 
h 
h 




8-bltdispl 1 






Full Displacement [ 01111 


10 010 1 1 full displacement 


JP/JPE = Jump on Parity/Parity Even 




8-Bit Displacement | 01111010 


8-bit displ 1 






Full Displacement | 1111 


10 01010 1 full displacement 


JNP/JPO = Jump on Not Parity/Parity Odd 




8-Bit Displacement | 01111011 


8-bit displ 1 






Full Displacement | 1111 


10 10 11 1 full displacement 


JL/JNGE = Jump on Less/Not Greater or Equal 




8-Bit Displacement | 0111110 


8-bit displ 1 






Full Displacement | 01111 


10 001 100 1 full displacement 


JNL/JGE = Jump on Not Less/Greater or Equal 




8-Bit Displacement | 0111110 1 


8-bit displ 1 






Full Displacement | 1111 


10 0110 1 1 full displacement 


JLE/JNG = Jump on Less or Equal/Not Greater 




8-Bit Displacement | 01111110 


8-bit displ 1 


Full Displacement | 01111 


10 01110 1 full displacement 


JNLE/JG = Jump on Not Less or Equal/Greater 




8-Bit Displacement | 01111111 


8-bit displ 1 






Full Displacement | 01111 


10 01111 1 full displacement 






JCXZ = Jump on CX Zero | 1110 011 


8-bit displ 1 






JECXZ = Jump on ECX Zero | 1110 11 


8-bit displ 1 


(Address Size Prefix Differentiates JCXZ from JECXZ) 




LOOP = Loop CX Times | 1110 010 


8-bit displ 1 


LOOP7/1 nnPF — 1 nnn with 




Zero/Equal | 1110 01 


8-bit displ 1 


1 nnpN7/L nOPNF — L nnn Whiln 




NotZero | 11100000 


8-bit displ 1 


CONDITIONAL BYTE SET 

NOTE: Times Are Register/ Memory 




To Register/Memory | 1 1 1 1 


10 010 1 mod r/m | 


SETNO = Set Byte on Not Overflow 




To Register/Memory | 1111 


10 10 01 1 mod r/m | 


SETB/SETNAE = Set Byte on Below/Not Above or Equa 




To Register/ Memory | 1111 


1 1 1 1 mod r/m | 



E-10 



Intel' 



INSTRUCTION FORMAT AND TIMING 



Table 6-1. 386 DX''' Microprocessor Instruction Set Clock Count Summary (contd.) 



INSTRUCTION FORMAT 


CLOCK COUNT 


NOTES 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


CONDITIONAL BYTE SET (Continued) 

SETNB = Set Byte on Not Below/Above or Equal 


4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 

10 
12 

15 + 
4(n - 1) 

4 


4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 
4/5 

10 

12 

15 + 

4(n - 1) 

4 


b 
b 
b 

b 


h 
h 
h 
h 
h 
h 
h 
h 
h 
h 
h 
h 
h 

h 
h 
h 

h 


To Register/Memory | 00001111 | 10010011 


mod r/m | 


SETE/SETZ - Set Byte on Equal/Zero 




To Register/Memory | 00001111 | 10010100 


mod r/m | 


Sb 1 NE/SETNZ = Set Byte on Not Equal/Not Zero 




To Register/Memory 1 00001111 | 10010101 


mod r/m | 


SETBE/SETNA = Set Byte on Below or Equal/Not Above 




To Register/Memory 1 00001111 | 10010110 


mod r/m | 


SETNBE/SETA = Set Byte on Not Below or Equal/ Above 




To Register/Memory | 00001111 | 10010111 


mod r/m 1 


SETS = Set Byte on Sign 




To Register/Memory | 00001111 | 10011000 


mod r/m | 


SETNS = Set Byte on Not Sign 




To Register/Memory | 00001111 | 10011001 


mod r/m | 


SETP/SETPE = Set Byte on Parity/Parity Even 




To Register/Memory | 00001111 | 10011010 


mod r/m | 


SETNP/SETPO = Set Byte on Not Parity/Parity Odd 




To Register/Memory 00001111 ^10011011 


mod r/m | 


SETL/SETNGE = Set Byte on Less/Not Greater or Equal 




To Register/Memory 1 00001111 | 10011100 


mod r/m | 


SETNL/SETGE = Set Byte on Not Less/Greater or Equal 




To Register/ Memory | 00001111 | 01111101 


mod r/m | 


SETLE/SETNG = Set Byte on Less or Equal/Not Greater 




To Register/Memory | 00001111 | 10011110 


mod r/m | 


SETNLE/SETG = Set Byte on Not Less or Equal/Greater 




To Register/Memory | 00001111 | 10011111 


mod r/m | 




ENTER = Enter Procedure | 110 010 | 16-bit displacement, 8-bit level | 


L = 
L=1 
L> 1 




LEAVE = Leave Procedure | 110 10 1 | 
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Table 6-1. 386 DX'^ Microprocessor Instruction Set Clock Count Summary (contd.) 






CLOCK COUNT 


NOTES 1 


Real 




Real 




INSTRUCTION FORMAT 


Address 


Protected 


Addrdss 


Protected 




Mode or 


Virtual 


Mode or 


Virtual 




Virtual 


Address 


Virtual 


Address 




8086 


Mode 


8086 


Mode 




Mode 




Mode 




INTERRUPT INSTRUCTIONS 










INT = Interrupt 


37 
33 




b 




Type Specified | 11001101 | type | 


Type 3 | 1 1 1 1 | 


INTO = Interrupt 4 If Overflow Flag Set | 1 1 1 1 1 | 


lfOF=1 


35 




b.e 




lfOF = 


3 


3 


b.e 




Bound = Interrupt 5 If Detect Value | 0110 010 | mod reg r/m | 


Out of Range 










If Out of Range 


44 




b.e 


e, g. h, i. k, r 


If In Range 


10 


10 


b.e 


e, g, h, j, k. r 


Protected Mode Only (INT) 










INT: Type Specified 










Via Interrupt or Trap Gate 










to Same Privilege Level 




59 




g.j.k.r 


Via Inten-upt or Trap Gate 










to Different Privilege Level 




99 




g. i, k, r 


From 80286 Task to 80286 TSS via Task Gate 




282 




g.j,k,r 


From 80286 Task to 386DXtm CPU TSS via Task Gate 




309 




g,j,k,r 


From 80286 Task to virt 8086 md via Task Gate 




226 




g, j. k, r 


From 386DXTM CPU Task to 80286 TSS via Task Gate 




284 




g.j.k.r 


From 386DXTM CPU Task to 386DXtm CPU TSS via Task Gate 




311 




g. j, k, r 


From 386DXTM CPU Task to virt 8086 md via Task Gate 




228 




g. j. k. r 


From virt 8086 md to 80286 TSS via Task Gate 




289 




g.j.k.r 


From virt 8086 md to 386DXtm CPU TSS via Task Gate 




316 




g,j.k.r 


From virt 8086 md to priv level via Trap Gate or Interrupt Gate 




119 






INT: TYPE 3 










Via Interrupt or Trap Gate 










to Same Privilege Level 




59 




g.j,k.r 


Via Interrupt or Trap Gate 










to Different Privilege Level 




99 




g.i.k,r 


From 80286 Task to 80286 TSS via Task Gate 




278 




g.j.k,r 


From 80286 Task to 386DXTM CPU TSS via Task Gate 




305 


, 


g.j.k.r 


From 80286 Task to Virt 8086 md via Task Gate 




222 




g.i,k.r 


From 386DXTM CPU Task to 80286 TSS via Task Gate 




280 




g.i.k.r 


From 386DXTM CPU Task to 386DXtm CPU TSS via Task Gate 




307 




g. i, k, r 


From 386DXTM CPU Task to Virt 8086 md via Task Gate 




224 




g, j, k, r 


From virt 8086 md to 80286 TSS via Task Gate 




285 




g.j,k.r 


From virt 8086 md to 386DXtm CPU TSS via Task Gate 




312 




g. j. k, r 


From virt 8086 md to priv level via Trap Gate or Interrupt Gate 




119 






INTO: 










Via Interrupt or Trap Grate 










to Same Privilege Level 




59 




g. i. k, r 


Via Interrupt or Trap Gate 










to Different Privilege Level 




99 




g.j.k,r 


From 80286 Task to 80286 TSS via Task Gate 




280 




g.j.k,r 


From 80286 Task to 386DXtm CPU TSS via Task Gate 




307 




g. j. k, r 


From 80286 Task to virt 8086 md via Task Gate 




224 




g. i. k, r 


From 386DXTM CPU Task to 80286 TSS via Task Gate 




282 




g.i.k.r 


From 386DXTM CPU Task to 386DXtm CPU TSS via Task Gate 




309 




g,i.k.r 


From 386DXTM CPU Task to virt 8086 md via Task Gate 




225 




g, j, k, r 


From virt 8086 md to 80286 TSS via Task Gate 




287 




g, j. k, r 


From virt 8086 md to 386pXTM CPU TSS via Task Gate 




314 




g. j, k, r 


From virt 8086 md to priv level via Trap Gate or Interrupt Gate 




119 
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Table 6-1. 386 DX " Microprocessor Instruction Set Clock Count Summary (contd.) 








CLOCK COUNT 


NOTES 1 


Real 




Real 




INSTRUCTION FORMAT 




Address 


Protected 


Address 


Protected 






Mode or 


Virtual 


Mode or 


Virtual 






Virtual 


Address 


Virtual 


Address 






8086 


Mode 


8086 


Mode 






Mode 




Mode 




INTERRUPT INSTRUCTIONS (Continued) 












BOUND: 












Via Interrupt or Trap Gate 












to Same Privilege Level 






59 




g.j.k,r 


Via Inten-upt or Trap Gate 












to Different Privilege Level 






99 




g.j.k,r 


From 80286 Task to 80286 TSS via Task Gate 






254 




g. j, k, r 


From 80286 Task to 386DXtm CPU TSS via Task Gate 






284 




g.j.k.r 


From 80268 Task to virt 8086 Mode via Task Gate 






231 




g, j. k, r 


From 386DXTM CPU Task to 80286 TSS via Task Gate 






264 




g,j.k,r 


From 386DXTM CPU Task to 386DXTM CPU TSS via Task Gate 






294 




g. j. k, r 


From 80368 Task to virt 8086 Mode via Task Gate 






243 




g,j,k,r, 


From virt 8086 Mode to 80286 TSS via Task Gate 






264 




g, j. k. r 


From virt 8086 Mode to 386DXTM CPU TSS via Task Gate 






294 




g.j,k.r 


From virt 8086 md to priv level via Trap Gate or Interrupt Gate 






119 






INTERRUPT RETURN 




22 






9. h. j, k. r 


IRET = Interrupt Return | 1 1 00 1 1 1 1 | 


Protected Mode Only (IRET) 












To the Same Privilege Level (within task) 






38 




g.h.j.k.r 


To Different Privilege Level (within task) 






82 




g.h.j.k.r 


From 80286 Task to 80286 TSS 






232 




h,j.k.r 


From 80286 Task to 386DXTM CPU TSS 






265 




h, j, k, r 


From 80286 Task to Virtual 8086 Task 






213 




h.j.k.r 


From 80286 Task to Virtual 8086 Mode (within task) 






60 






From 386DXTM CPU Task to 80286 TSS 






271 




h.j.k.r 


From 386DXTM CPU Task to 386DXTM CPU TSS 






275 




h.j.k.r 


From 386DXTM CPU Task to Virtual 8086 Task 






223 




h.j.k.r 


From 386DXTM CPU Task to Virtual 8086 Mode (within task) 






60 






PROCESSOR CONTROL 




5 


5 




1 


HLT = HALT | 1 11 10100 | 


MOV = Move to and From Control/Debug/Test Registers 




11/4/5 

6 
22 
16 
14 
22 
12 
12 

3 

7 


11/4/5 

6 

22 
16 
14 
22 
12 
12 

3 

7 




1 
1 
1 
1 
1 
1 
1 
1 


CR0/CR2/CR3 from register | 00001111 | 00100010 


1 1 eee reg | 






Register From CRO-3 | 00001111 | 00100000 


1 1 eee reg | 






DRO-3 From Register | 00001111 | 0100011 


11 eee reg | 






DR6-7 From Register | 00001111 | 00100011 


1 1 eee reg | 






Register from DR6-7 | 00001111 | 00100001 


1 1 eee reg ] 






Register from DRO-3 | 00001111 | 00100001 


1 1 eee reg | 






TR6-7 from Register | 00001111 | 00100110 


1 1 eee reg | 






Register from TR6-7 | 00001111 | 00100100 


1 1 eee reg | 






NOP =NoOperation | 10010000 | 




WAIT = Wait until BUSY# pin is negated | 1 1 1 1 1 | 
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Table 6-1. 386 DX" Microprocessor Instruction Set Clock Count Summary (contd.) 




INSTRUCTION FORMAT 


CLOCK COUNT 


NOTES 1 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


PROCESSOR EXTENSION INSTRUCTIONS 


See 

80287/80387 
data sheets for 
clock counts 












N/A 
N/A 

11 

11 

N/A 
11/14 

N/A 
N/A 

N/A 
N/A 













20/21 

15/16 

11 

11 

20/24 
11/14 

21/22 
25/26 

23/27 
9 

2/2 


a 

b.c 
b.c 

b.c 

a 
a 

a 

b.c 
b.c 

a 


h 
m 

h 

g. h, i. p 

h.l 
h.l 

g,h.j.i 
h,l 

g. h, i, p 
g.h.j.p 

g.h,j.i 

h 
h 
h 


Processor Extension Escape | 1 1 1 1 T T T | mod L L L r/m | 

TIT and LLL bits are opcode 
Information for coprocessor. 

PREFIX BYTES 


Address Size Prefix | 0110 0111 | 




LOCK = Bus Lock Prefix | 11110 | 




Operand Size Prefix | 1 1 1 1 | 


Segment Override Prefix 


CS: 1 1 1 1 1 1 




DS: 1 1 1 1 1 1 1 




ES: 1 1 1 1 1 




FS: 1 01 100100 1 




GS: 1 1 1 1 1 1 




SS: 1 1 1 1 1 1 


PROTECTION CONTROL 

ARPL = Adjust Requested Privilege Level 


From Register/ Memory 0110 011 | mod reg r/m | 


LAR = Load Access Rights 


From Register/ Memory | 00001111 | 00000 010 | mod reg r/m | 


LGDT = Load Global Descriptor 


Table Register | 00 001111 | 00 000 01 |mod010 r/m | 


LIDT = Load Interrupt Descriptor 


Table Register | 01111 1 1 | mod 1 1 r/m j 


LLDT = Load Local Descriptor 


Register/Memory | 00001111 | 00000000 |mod010 r/m | 


LMSW = Load Machine Status Word 


From Register/ Memory | 00001111 |oo0 001 | mod 1 1 r/m | 


LSL = Load Segment Limit 


From Register/Memory | 00001111 | 0000 0011 | mod reg r/m | 


Byte-Granular Limit 
Page-Granular Limit 
LTR = Load Task Register 


From Register/Memory | 00001111 | 00000000 |mod001 r/m | 


SGDT = Store Global Descriptor 


Table Register | 00001111 | 00000001 | mod r/m | 


SIDT = Store Interrupt Descriptor 


Table Register | 00001111 | 00000001 |mod001 r/m | 


SLOT = Store Local Descriptor Table Register 


To Register/Memory | 0001111 | 00 000 00 | mod 000 r/m | 
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Table 6-1. 386 DX'*" Microprocessor Instruction Set Clock Count Summary (contd.) 



INSTRUCTION 


FORMAT 








CLOCK COUNT 


NOTES 1 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 
Address 


Real 
Address 
Mode or 
Virtual 
8086 
Mode 


Protected 
Virtual 

Address 
Mode 


SMSW 
STR 

VERR 

VERW 


= Store Machine 
Status Word 

= Store Task Register 

To Register/Memory 

= Verify Read Accesss 

Register/Memory 

= Verify Write Accesss 










2/2 

N/A 

N/A 
N/A 


2/2 

2/2 

10/11 
15/16 


b.c 

a 

a 
a 


h.l 
h 

g.h.j.p 
g.h.j.p 


1 000011 1 1 


00000001 


1 mod 1 


r/m 1 


1 00001 1 1 1 


00000000 


1 mod 1 


r/m 1 


1 00001 1 1 1 


00000000 


1 mod 1 


r/mj 


1 0001 1 1 1 


00000000 


1 mod 1 1 


r/m 1 



INSTRUCTION NOTES FOR TABLE 6-1 

Notes a through c apply to 386DX Microprocessor Real Address Mode only: 

a. This is a Protected Mode instruction. Attempted execution in Real Mode will result in exception 6 (invalid opcode). 

b. Exception 13 fault (general protection) will occur in Real Mode if an operand reference is made that partially or fully 
extends beyond the maximum CS, DS, ES, FS or GS limit, FFFFH. Exception 12 fault (stack segment limit violation or not 
present) will occur in Real Mode if an operand reference is made that partially or fully extends beyond the maximum 88 limit. 

c. This instruction may be executed in Real Mode. In Real Mode, its purpose is primarily to initialize the CPU for Protected 
Mode. 

Notes d through g apply to 386DX Microprocessor Real Address Mode and 386DX Microprocessor Protected 
Virtual Address Mode: 

d. The 386DX Microprocessor uses an early-out multiply algorithm. The actual number of clocks depends on the position of 
the most significant bit in the operand (multiplier). 

Clock counts given are minimum to maximum. To calculate actual clocks use the following formula: 
Actual Clock = if m < > then max ([log2 |m|], 3) + b clocks: 

if m = then 3 + b clocks 
In this formula, m is the multiplier, and 
b = 9 for register to register, 
b = 12 for memory to register, 
b = 1 for register with immediate to register, 
b = 1 1 for memory with immediate to register. 

e. An exception may occur, depending on the value of the operand. 

f. LOCK# is automatically asserted, regardless of the presence or absence of the LOCK# prefix. 

g. LOCK# is asserted during descriptor table accesses. 

Notes h through r apply to 386DX Microprocessor Protected Virtual Address Mode only: 

h. Exception 13 fault (general protection violation) will occur If the memory operand in C8, D8, E8, F8 or GS cannot be used 

due to either a segment limit violation or access rights violation. If a stack limit is violated, an exception 12 (stack segment 

limit violation or not present) occurs. 

i. For segment load operations, the CPL, RPL, and DPL must agree with the privilege rules to avoid an exception 13 fault 

(general protection violation). The segment's descriptor must indicate "present" or exception 1 1 (C8, DS, ES, FS, GS not 

present). If the 88 register is loaded and a stack segment not present is detected, an exception 12 (stack segment limit 

violation or not present) occurs. 

j. All segment descriptor accesses in the GDT or LDT made by this instruction will automatically assert LOCK# to maintain 

descriptor integrity in multiprocessor systems. 

k. JMP, CALL, INT, RET and IRET Instructions referring to another code segment will cause an exception 13 (general 

protection violation) if an applicable privilege rule is violated. 

I. An exception 1 3 fault occurs if CPL is greater than (0 is the most privileged level). 

m. An exception 13 fault occurs if CPL is greater than lOPL 

n. The IF bit of the flag register is not updated If CPL Is greater than lOPL The lOPL and VM fields of the flag register are 

updated only if CPL = 0. 

o. The PE bit of the MSW (CRO) cannot be reset by this Instruction. Use MOV Into CRO if desiring to reset the PE bit. 

p. Any violation of privilege rules as applied to the selector operand does not cause a protection exception; rather, the zero 

flag is cleared. 

q. If the coprocessor's memory operand violates a segment limit or segment access rights, an exception 13 fault (general 

protection exception) will occur before the ESC instruction is executed. An exception 1 2 fault (stack segment limit violation 

or not present) will occur If the stack limit is violated by the operand's starting address. 

r. The destination of a JMP, CALL, INT, RET or IRET must be In the defined limit of a code segment or an exception 13 fault 

(general protection violation) will occur. 
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6.2 INSTRUCTION ENCODING 



6.2.1 Overview 

All instruction encodings are subsets of the general 
instruction format shown in Figure 6-1. Instructions 
consist of one or two primary opcode bytes, possibly 
an address specifier consisting of the "mod r/m" 
byte and "scaled index" byte, a displacement if re- 
quired, and an immediate data field if required. 

Within the primary opcode or opcodes, smaller en- 
coding fields may be defined. These fields vary ac- 
cording to the class of operation. The fields define 
such information as direction of the operation, size 
of the displacements, register encoding, or sign ex- 
tension. 

Almost all instructions referring to an operand In 
memory have an addressing mode byte following 
the primary opcode byte(s). This byte, the mod r/m 
byte, specifies the address mode to be used. Certain 



encodings of the mod r/m byte indicate a second 
addressing byte, the scale-index-base byte, follows 
the mod r/m byte to fully specify the addressing 
mode. 

Addressing modes can include a displacement Im- 
mediately following the mod r/m byte, or scaled in- 
dex byte. If a displacement is present, the possible 
sizes are 8, 16 or 32 bits. 

If the instruction specifies an immediate operand, 
the immediate operand follows any displacement 
bytes. The immediate operand, if specified, is always 
the last field of the instruction. 

Figure 6-1 Illustrates several of the fields that can 
appear in an instruction, such as the mod field and 
the r/m field, but the Figure does not show all fields. 
Several smaller fields also appear in certain instruc- 
tions, sometimes within the opcode bytes them- 
selves. Table 6-2 is a complete list of all fields ap- 
pearing in the 386DX Microprocessor instruction set. 
Further ahead, following Table 6-2, are detailed ta- 
bles for each field. 



TTTTTTTT TTTTTTTT modTTTr/m ssindexbase d32 | 16 | 8 | nonedata32 | 16 | 8 | none 

^^ ^ V ^ J 



7 



7 6 5 3 2 7 6 5 3 2 



opcode 

(one or two bytes) 

(T represents an 

opcode bit.) 



V^ 



"mod r/m" 
byte 



"s-i-b" 
byte 



register and address 
mode specifier 



address 
displacement 
(4, 2, 1 bytes 

or none) 



immediate 

data 

(4,2, 1 bytes 

or none) 



Figure 6-1. General Instruction Format 



Table 6-2. Fields within 386 DX'*" Microprocessor Instructions 



Field Name 


Description 


Number of Bits 


w 


Specifies if Data Is Byte or Full Size (Full Size is either 1 6 or 32 Bits 


1 


d 


Specifies Direction of Data Operation 


1 


s 


Specifies if an Immediate Data Field Must be Sign-Extended 


1 


reg 


General Register Specifier 


3 


mod r/m 


Address Mode Specifier (Effective Address can be a General Register) 


2 for mod; 

3 for r/m 


ss 


Scale Factor for Scaled Index Address Mode 


2 


index 


General Register to be used as Index Register 


3 


base 


General Register to be used as Base Register 


3 


sreg2 


Segment Register Specifier for CS, SS, DS, ES 


2 


sreg3 


Segment Register Specifier for CS, SS, DS, ES, FS, GS 


3 


tttn 


For Conditional Instructions, Specifies a Condition Asserted 






or a Condition Negated 


4 



Note: Table 6-1 shows encoding of individual instructions. 
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6.2.2 32-Bit Extensions of the 
Instruction Set 

With the 386DX i\/1icroprocessor, the 8086/80186/ 
80286 instruction set is extended in two orthogonal 
directions: 32-bit forms of all 16-bit instructions are 
added to support the 32-bit data types, and 32-bit 
addressing modes are made available for all instruc- 
tions referencing memory. This orthogonal Instruc- 
tion set extension is accomplished having a Default 
(D) bit in the code segment descriptor, and by hav- 
ing 2 prefixes to the instruction set. 

Whether the instruction defaults to operations of 16 
bits or 32 bits depends on the setting of the D bit in 
the code segment descriptor, which gives the de- 
fault length (either 32 bits or 1 6 bits) for both oper- 
ands and effective addresses when executing that 
code segment. In the Real Address Mode or Virtual 
8086 Mode, no code segment descriptors are used, 
but a D value of is assumed internally by the 
386DX Microprocessor when operating in those 
modes (for 16-bit default sizes compatible with the 
8086/80186/80286). 

Two prefixes, the Operand Size Prefix and the Effec- 
tive Address Size Prefix, allow overriding individually 
the Default selection of operand size and effective 
address size. These prefixes may precede any op- 
code bytes and affect only the instruction they pre- 
cede. If necessary, one or both of the prefixes may 
be placed before the opcode bytes. The presence of 
the Operand Size Prefix and the Effective Address 
Prefix will toggle the operand size or the effective 
address size, respectively, to the value "opposite" 
from the Default setting. For example, if the default 
operand size is for 32-bit data operations, then pres- 
ence of the Operand Size Prefix toggles the instruc- 
tion to 16-bit data operation. As another example, if 
the default effective address size is 16 bits, pres- 
ence of the Effective Address Size prefix toggles the 
instruction to use 32-bit effective address computa- 
tions. 

These 32-bit extensions are available in ail 386DX 
Microprocessor modes, including the Real Address 
Mode or the Virtual 8086 Mode. In these modes the 
default is always 16 bits, so prefixes are needed to 
specify 32-bit operands or addresses. For instruc- 
tions with more than one prefix, the order of prefixes 
is unimportant. 

Unless specified othenA^ise, instructions with 8-bit 
and 16-bit operands do not affect the contents of 
the high-order bits of the extended registers. 

6.2.3 Encoding of Instruction Fields 

Within the instruction are several fields indicating 
register selection, addressing mode and so on. The 
exact encodings of these fields are defined immedi- 
ately ahead. 



6.2.3.1 ENCODING OF OPERAND LENGTH (w) 
FIELD 

For any given instruction performing a data opera- 
tion, the instruction is executing as a 32-bit operation 
or a 16-bit operation. Within the constraints of the 
operation size, the w field encodes the operand size 
as either one byte or the full operation size, as 
shown in the table below. 



w Field 


Operand Size 

During 16-Bit 

Data Operations 


Operand Size 

During 32-Bit 

Data Operations 




1 


8 Bits 
16 Bits 


8 Bits 
32 Bits 



6.2.3.2 ENCODING OF THE GENERAL 
REGISTER (reg) FIELD 

The general register is specified by the reg field, 
which may appear in the primary opcode bytes, or as 
the reg field of the "mod r/m" byte, or as the r/m 
field of the "mod r/m" byte. 

Encoding of reg Field When w Field 
is not Present in Instruction 





Register Selected 


Register Selected 


reg Field 


During 16-Bit 


During 32-Bit 




Data Operations 


Data Operations 


000 


AX 


EAX 


001 


CX 


ECX 


010 


DX 


EDX 


oil 


BX 


EBX 


100 


SP 


ESP 


101 


BP 


EBP 


101 


SI 


ESI 


101 


Dl 


EDI 



Encoding of reg Field When w Field 
is Present in Instruction 



Register Specified by reg Field 
During 16-Bit Data Operations: 


reg 


Function of w Field 


(when w = 0) 


(when w = 1) 


000 
001 
010 

oil 

100 
101 
110 

111 


AL 
CL 
DL 
BL 
AH 
CH 
DH 
BH 


AX 
CX 
DX 
BX 
SP 
BP 
SI 
Dl 



E-17 



intel^ 



INSTRUCTION FORMAT AND TIMING 



Register Specified by reg Field 
During 32-Bit Data Operations 


reg 


Function of w Field 


(when w = 0) 


(when w = 1) 


000 
001 
010 

oil 

100 
101 
110 

111 


AL 
CL 
DL 
BL 
AH 
CH 
DH 
BH 


EAX 
ECX 
EDX 
EBX 
ESP 
EBP 
ESI 
EDI 



6.2.3.3 ENCODING OF THE SEGMENT 
REGISTER (sreg) FIELD 

The sreg field in certain instructions is a 2-bit field 
allowing one of the four 80286 segment registers to 
be specified. The sreg field in other instructions Is a 
3-bit field, allowing the 386DX Microprocessor FS 
and GS segment registers to be specified. 

2-Bit sreg2 Field 



2-Bit 
sreg2 Field 


Segment 
Register 
Selected 


00 
01 
10 

11 


ES 
08 
88 
D8 



3-Bit sreg3 Field 


3-Blt 
sreg3 Field 


Segment 
Register 
Selected 


000 


E8 


001 


08 


010 


88 


oil 


D8 


100 


FS 


101 


G8 


110 


do not use 


111 


do not use 



6.2.3.4 ENCODING OF ADDRESS MODE 

Except for special instructions, such as PUSH or 
POP, where the addressing mode is pre-determined, 
the addressing mode for the current instruction is 
specified by addressing bytes following the primary 
opcode. The primary addressing byte is the "mod 
r/m" byte, and a second byte of addressing informa- 
tion, the "s-i-b" (scale-index-base) byte, can be 
specified. 

The s-i-b byte (scale-index-base byte) is specified 
when using 32-bit addressing mode and the "mod 
r/m" byte has r/m = 100 and mod = 00, 01 or 10, 
When the sib byte is present, the 32-bit addressing 
mode is a function of the mod, ss, index, and base 
fields. 

The primary addressing byte, the "mod r/m" byte, 
also contains three bits (shown as TTT in Figure 6-1) 
sometimes used as an extension of the primary op- 
code. The three bits, however, may also be used as 
a register field (reg). 

When calculating an effective address, either 1 6-bit 
addressing or 32-bit addressing is used. 16-bit ad- 
dressing uses 16-bit address components to calcu- 
late the effective address while 32-bit addressing 
uses 32-bit address components to calculate the ef- 
fective address. When 16-blt addressing is used, the 
"mod r/m" byte is interpreted as a 16-bit addressing 
mode specifier. When 32-bit addressing is used, the 
"mod r/m" byte is interpreted as a 32-bit addressing 
mode specifier. 

Tables on the following three pages define all en- 
codings of all 16-bit addressing modes and 32-bit 
addressing modes. 
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Encoding of 16-bit Address Mode with "mod r/m" Byte 



mod r/m 


Effective Address 


00 000 


DS:[BX + SI] 


00 001 


DS:[BX + DI] 


00010 


SS:[BP + SI] 


00 011 


SS:[BP + DI1 


00 100 


DS:[SI] 


00 101 


DS:[DI] 


00 110 


DS:d16 


00111 


DS:[BX] 


01 000 


DS:[BX + SI + d8] 


01001 


DS:[BX + DI + d8] 


01010 


SS:[BP + SI + d8] 


01011 


SS:[BP + DI + d8l 


01100 


DS:[SH-d8] 


01 101 


DS:[DI + d8] 


01110 


SS:[BP + d8] 


01111 


DS:[BX + d8] 



mod r/m 


Effective Address 


10 000 


DS:[BX + SI + d16] 


10 001 


DS:[BX + DI + d16] 


10010 


SS:[BP + SI + d16] 


10011 


SS:[BP + DI + d16] 


10 100 


DS:[SI + d16] 


10 101 


DS:[DI + d16] 


10110 


SS:[BP + d16] 


10111 


DS:[BX + d16] 


11000 


register— see below 


11001 


register— see below 


11 010 


register — see below 


11011 


register — see below 


11 100 


register— see below 


11 101 


register— see below 


11 110 


register— see below 


11 111 


register — see below 



Register Specified by r/m 
During 16-Bit Data Operations 


mod r/m 


Function of w Field 


(whenw = 0) 


(when w = 1) 


11000 
11001 
11010 
11011 
11 100 
11 101 
11 110 

11 111 


AL 
CL 
DL 
BL 
AH 
CH 
DH 
BH 


AX 
CX 
DX 
BX 
SP 
BP 
SI 
Dl 



Register Specified by r/m 
During 32-Bit Data Operations 


mod r/m 


Function of w Field 


{whenw = 0) 


(whenw =1) 


11000 
11 001 
11010 

11 oil 

11 100 
11 101 
11 110 

11 111 


AL 
CL 
DL 
BL 
AH 
CH 
DH 
BH 


EAX 
ECX 
EDX 
EBX 
ESP 
EBP 
ESI 
EDI 
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Encoding of 32-blt Address Mode with "mod r/m" byte (no "s-i-b" byte present): 



mod r/m 


Effective Address 


00 000 


DS:[EAX] 


00 001 


DS:[ECX] 


00 010 


DS:[EDX] 


00 011 


DS:[EBX] 


00 100 


s-i-b is present 


00 101 


DS:d32 


00110 


DS:[ESI] 


00 111 


DS:[EDI] 


01 000 


DS:[EAX + d8] 


01001 


DS:[ECX + d8] 


01 010 


DS:[EDX + d8] 


01011 


DS:[EBX + d8] 


01 100 


s-i-b is present 


01 101 


SS:[EBP + d8] 


01 110 


DS:[ESI + d8] 


01 111 


DS:[EDI + d8] 



mod r/m 


Effective Address 


10 000 


DS:[EAX + d32] 


10 001 


DS:[ECX-f-d32] 


10010 


DS:[EDX + d32l 


10011 


DS:[EBX + d32] 


10 100 


s-i-b is present 


10 101 


SS:[EBP + d32] 


10110 


DS:[ESI + d32] 


10111 


DS:[EDI + d32] 


11 000 


register— see below 


11001 


register— see below 


11010 


register— see below 


11011 


register — see below 


11 100 


register— see below 


11101 


register— see below 


11110 


register— see below 


11 111 


register— see below 



Register Specified by reg or r/m 
during 16-Bit Data Operations: 


mod r/m 


function of w field 


(whenw = 0) 


(whenw=1) 


11 000 
11 001 
11010 
11011 
11 100 
11 101 
11 110 

11 111 


AL 
CL 
DL 
BL 
AH 
CH 
DH 
BH 


AX 
CX 
DX 
BX 
SP 
BP 
SI 
Dl 



Register Specified by reg or r/m 
during 32-Bit Data Operations: 


mod r/m 


function of w field 


(whenw=0) 


(whenw=1) 


11000 
11001 
11 010 
11011 
11 100 
11 101 
11 110 

11 111 


AL 
CL 
DL 
BL 
AH 
CH 
DH 
BH 


EAX 
ECX 
EDX 
EBX 
ESP 
EBP 
ESI 
EDI 
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Encoding of 32-blt Address Mode ("mod r/m" byte and "s-i-b" byte present): 



mod base 


Effective Address 


00 000 


DS:[EAX 


+ 


(scaled index)] 




00 001 


DS:[ECX 


+ 


(scaled index)] 




00 010 


DS:[EDX 


+ 


(scaled index)] 




00 011 


DS:[EBX 


+ 


(scaled index)] 




00 100 


SS:[ESP 


+ 


(scaled index)] 




00101 


DS:[d32 


+ 


(scaled index)] 




00110 


DS:[ESI 


+ 


(scaled index)] 




00111 


DS:[EDI 


+ 


(scaled Index)] 




01000 


DS:[EAX 


+ 


(scaled index) 


+ d8] 


01001 


DS:[ECX 


+ 


(scaled index) 


+ d8] 


01010 


DS:[EDX + 


(scaled index) 


+ d8] 


01 011 


DS:[EBX 


+ 


(scaled index) 


+ dS] 


01 100 


SS:[ESP 


+ 


(scaled index) 


+ dS] 


01 101 


SS:[EBP 


+ 


(scaled index) 


+ dS] 


01 110 


DS:[ESI 


4- 


(scaled index) 


+ dS] 


01 111 


DS.IEDI 


4- 


(scaled index) 


+ dS] 


10 000 


DS:[EAX 


+ 


(scaled index) 


+ d32] 


10 001 


DS:[ECX 


+ 


(scaled index) 


+ d32] 


10010 


DS:[EDX 


+ 


(scaled index) 


+ d32] 


10011 


DS:[EBX 


+ 


(scaled index) 


+ d32] 


10100 


SS:[ESP 


+ 


(scaled index) 


+ d32] 


10 101 


SS:[EBP 


+ 


(scaled index) 


+ d32] 


10110 


DS:[ESI 


+ 


(scaled index) 


+ d32] 


10111 


DS:[EDI 


+ 


(scaled index) 


+ d32] 



ss 


Scale Factor 


00 
01 
10 

11 


Xl 

x2 
x4 
x8 



index 


Index Register 


000 


EAX 


001 


ECX 


010 


EDX 


oil 


EBX 


100 


no index reg** 


101 


EBP 


110 


ESI 


111 


EDI 



•♦IMPORTANT NOTE: 

When index field is 100, indicating "no index register," then 
ss field MUST equal 00. If index is 100 and ss does not 
equal 00, the effective address is undefined. 



NOTE: 

Mod field in 
"s-i-b" byte. 



'mod r/m" byte; ss, index, base fields in 
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6.2.3.5 ENCODING OF OPERATION DIRECTION 
(d) FIELD 

In many two-operand instructions the d field is pres- 
ent to indicate which operand is considered the 
source and which is the destination. 



Direction of Operation 



Register/ Memory <- - Register 
"reg" Field Indicates Source Operand; 
"mod r/m" or "mod ss index base" Indicates 
Destination Operand 



Register <- - Register/ Memory 
"reg" Field Indicates Destination Operand; 
"mod r/m" or "mod ss index base" Indicates 
Source Operand 



6.2.3.6 ENCODING OF SIGN-EXTEND (s) FIELD 

The s field occurs primarily to instructions with im- 
mediate data fields. The s field has an effect only if 
the size of the immediate data is 8 bits and is being 
placed in a 16-bit or 32-bit destination. 



Effect on 
Immediate DataS 


Effect on 
Immediate Data 16|32 


ONone 

1 Sign-Extend Data8 to Fill 
1 6-Bit or 32-Blt Destination 


None 
None 



6.2.3.7 ENCODING OF CONDITIONAL TEST 
(tttn) FIELD 

For the conditional instructions (conditional jumps 
and set on condition), tttn Is encoded with n indicat- 
ing to use the condition (n = 0) or Its negation (n = 1 ), 
and ttt giving the condition to test. 



Mnemonic 


Condition 


tttn 





Overflow 


0000 


NO 


No Overflow 


0001 


B/NAE 


Below/Not Above or Equal 


0010 


NB/AE 


Not Below/ Above or Equal 


0011 


E/Z 


Equal/Zero 


0100 


NE/NZ 


Not Equal/Not Zero 


0101 


BE/NA 


Below or Equal/Not Above 


0110 


NBE/A 


Not Below or Equal/Above 


0111 


S 


Sign 


1000 


NS 


Not Sign 


1001 


P/PE 


Parity/ Parity Even 


1010 


NP/PO 


Not Parity/Parity Odd 


1011 


L/NGE 


Less Than/ Not Greater or Equal 


1100 


NL/GE 


Not Less Than/Greater or Equal 


1101 


LE/NG 


Less Than or Equal /Greater Than 


1110 


NLE/G 


Not Less or Equal/Greater Than 


1111 



6.2.3.8 ENCODING OF CONTROL OR DEBUG 
OR TEST REGISTER (eee) FIELD 

For the loading and storing of the Control, Debug 
and Test registers. 

When Interpreted as Control Register Field 



eee Code 


Reg Name 


000 
010 

oil 


CRO 
CR2 
CR3 


Do not use any other encoding 



When Interpreted as Debug Register Field 



eee Code 


Reg Name 


000 


DRO 


001 


DR1 


010 


DR2 


011 


DR3 


110 


DR6 


111 


DR7 


Do not use any other encoding 



When Interpreted as Test Register Field 


eee Code 


Reg Name 


110 
111 


TR6 
TR7 


Do not use any other encoding 
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9665 Chesapeake Dr. 

Suite 325 

San Diego 92123 

Tel: (619) 292-8086 

FAX: (619) 292-0628 

tintel Corp.* 

400 N. Tustin Avenue 

Suite 450 

Santa Ana 92705 

Tel: (714) 835-9642 

TWX: 910-595-1114 

FAX: (714) 541-9157 

tlntei Corp.* 

San Tomas 4 

2700 San Tomas Expressway 

2nd Floor 

Santa Clara 95051 

Tel: (408) 986-8086 

TWX: 910-338-0255 

FAX: (408) 727-2620 

COLORADO 

Intel Corp. 

4445 Northpark Drive 

Suite 100 

Colorado Springs 80907 

Tel: (719) 594-6622 

FAX: (303) 594-0720 

tintel Corp.* 
650 S. Cherry St. 
Suite 915 
Denver 80222 
Tel: (303) 321-8086 
TWX: 910-931-2289 
FAX: (303) 322-8670 

CONNECTICUT 

Intel Corp. 

301 Lee Farm Corporate Park 

83 Wooster Heights Rd. 

Danbury 06810 

Tel: (203) 748-3130 

FAX: (203) 794-0339 



FLORIDA 

tintel Corp. 

800 Fairway Drive 

Suite 160 

Deerfield Beach 33441 

Tel: (305) 421-0506 

FAX: (305) 421-2444 

tintel Corp. 
5850 T.G. Lee Blvd. 
Suite 340 
Orlando 32822 
Tel: (407) 240-8000 
FAX: (407) 240-8097 

Intel Corp. 

11300 4th Street North 

Suite 170 

St. Petersburg 33716 

Tel: (813) 577-2413 

FAX: (813) 578-1607 

GEORGIA 

tintel Corp. 

20 Technology Parkway 

Suite 150 

Norcross 30092 

Tel: (404) 449-0541 

FAX: (404) 605-9762 

ILLINOIS 

tintel Corp.* 

Woodfield Corp. Center 111 
300 N. Martingale Road 
Suite 400 

Schaumburg 60173 
Tel: (708) 605-8031 
FAX: (708) 706-9762 

INDIANA 

Intel Corp. 
8910 Purdue Road 
Suite 350 
Indianapolis 46268 
Tel: (317) 875-0623 
FAX: (317) 875-8938 

IOWA 

Intel Corp. 

1930 St. Andrews Drive N.E. 

2nd Floor 

Cedar Rapids 52402 

Tel: (319)393-5510 

KANSAS 

tintel Corp. 
10985 Cody St. 
Suite 140 

Overland Park 66210 
Tei: (913) 345-2727 
FAX: (913) 345-2076 

MARYLAND 

tintel Corp.* 
10010 Junction Dr. 
Suite 200 

Annapolis Junction 20701 
Tel: (301) 206-2860 
FAX: (301) 206-3677 
(301) 206-3678 

MASSACHUSETTS 

tintel Corp.* 
Westford Corp. Center 
3 Carlisle Road 
2nd Floor 
Westford 01 886 
Tel: (508) 692-0960 
TWX: 710-343-6333 
FAX: (508) 692-7867 



MICHIGAN 

tintel Corp. 

7071 Orchard Lake Road 

Suite 100 

West Bloomfield 48322 

Tel: (313) 851-8096 

FAX: (313) 851-8770 

MINNESOTA 

tintel Corp. 
3500 W. 80th St. 
Suite 360 

Bloomington 55431 
Tel: (612) 835-6722 
TWX: 910-576-2867 
FAX: (612) 831-6497 

MISSOURI 

tintel Corp, 

4203 Earth City Expressway 

Suite 131 

Earth City 63045 

Tel: (314) 291-1990 

FAX: (314) 291-4341 

NEW JERSEY 

tintel Corp.* 

Parkway 109 Office Center 

328 Newman Springs Road 

Red Bank 07701 

Tel: (201) 747-2233 

FAX: (201) 747-0983 

Intel Corp. 

280 Corporate Center 
75 Livingston Avenue 
First Floor 
Roseland 07068 
Tel: (201) 740-0111 
FAX: (201)740-0626 

NEW YORK 

Intel Corp.* 

850 Crosskeys Office Park 

Fairport 14450 

Tel: (716) 425-2750 

TWX: 510-253-7391 

FAX: (716) 223-2561 

tintel Corp.* 

2950 Express Dr., South 

Suite 130 

Islandia 11722 

Tel: (516) 231-3300 

TWX: 510-227-6236 

FAX: (516) 348-7939 

tintel Corp. 

Westage Business Center 

BIdg. 300, Route 9 

Fishkill 12524 

Tel: (914) 897-3860 

FAX: (914) 897-3125 

NORTH CAROLINA 

tintel Corp. 

5800 Executive Center Dr. 

Suite 105 

Charlotte 28212 

Tel: (704) 568-8966 

FAX: (704) 535-2236 

tintel Corp. 
5540 Centen/iew Dr. 
Suite 215 
Raleigh 27606 
Tel: (919) 851-9537 
FAX: (919) 851-8974 

OHIO 

tintel Corp.* 

3401 Park Center Drive 

Suite 220 

Dayton 45414 

Tel: (513) 890-5350 

TWX: 810-450-2528 

FAX: (513) 890-8658 



tintel Corp.* 
25700 Science Park Dr. 
Suite 100 
Beachwood 44122 
Tel: (216) 464-2736 
TWX: 810-427-9298 
FAX: (804) 282-0673 

OKLAHOMA 

Intel Corp. 
6801 N. Broadway 
Suite 115 

Oklahoma City 73162 
Tel: (405) 848-8086 
FAX: (405) 840-9819 



OREGON 

tintel Corp. 

15254 N.W. Greenbrier Parkway 

Building B 

Beaverton 97005 

Tel: (503) 645-8051 

TWX: 910-467-8741 

FAX: (503)645-8181 



PENNSYLVANIA 

tintel Corp.* 
925 Harvest Drive 
Suite 200 
Blue Bell 19422 
Tel; (215) 641-1000 
FAX: (215) 641-0785 

tintel Corp.* 
400 Penn Center Blvd. 
Suite 610 
Pittsburgh 15235 
Tel: (412) 823-4970 
FAX: (412) 829-7578 



PUERTO RICO 

tintel Corp. 
South Industrial Park 
P.O. Box 910 
Las Piedras 00671 
Tel: (809) 733-8616 



TEXAS 

Intel Corp. 

891 1 Capital of Texas Hwy. 

Austin 78759 

Tel: (512)794-8086 

FAX: (512) 338-9335 

tintel Corp.* 
12000 Ford Road 
Suite 400 
Dallas 75248 
Tel: (214) 241-8087 
FAX: (214)484-1180 

tintel Corp.* 
7322 S.W. Freeway 
Suite 1490 
Houston 77074 
Tel: (713) 988-8086 
TWX: 910-881-2490 
FAX: (713) 988-3660 



UTAH 

tintel Corp. 
428 East 6400 South 
Suite 104 
Murray 84107 
Tel: (801) 263-8051 
FAX: (801)268-1457 



VIRGINIA 

tintel Corp. 

1504 Santa Rosa Road 
Suite 108 
Richmond 23288 
Tel: (804) 282-5668 
FAX: (216) 464-2270 

WASHINGTON 

tintel Corp. 

155 108th Avenue N.E. 

Suite 386 

Bellevue 98004 

Tel: (206) 453-8086 

TWX: 910-443-3002 

FAX: (206) 451-9556 

Intel Corp. 
408 N. Mullan Road 
Suite 102 
Spokane 99206 
Tel: (509) 928-8086 
FAX: (509) 928-9467 

WISCONSIN 

Intel Corp. 
330 S. Executive Dr. 
Suite 102 
Brookfield 53005 
Tel: (414) 784-8087 
FAX: (414)796-2115 



CANADA 



BRITISH COLUMBIA 

Intel Semiconductor of 
Canada, Ltd. 
4585 Canada Way 
Suite 202 
Burnaby V5G 4L6 
Tel: (604) 298-0387 
FAX: (604) 298-8234 



ONTARIO 

tintel Semiconductor of 

Canada, Ltd. 

2650 Queensview Drive 

Suite 250 

Ottawa K2B 8H6 

Tel: (613) 829-9714 

FAX: (613) 820-5936 

tintel Semiconductor of 
Canada, Ltd. 
190Attwell Drive 
Suite 500 
Rexdale M9W 6H8 
Tel: (416) 675-2105 
FAX: (416) 675-2438 



QUEBEC 

tintel Semiconductor of 
Canada, Ltd. 
1 Rue Holiday 
Suite 115 
Tour East 
R. Claire H9R 5N3 
Tel: (514)694-9130 
FAX: 514-694-0064 



tSalcs and Service Office 
♦Field Application Location 



inter 



DOMESTIC DISTRIBUTORS 



ALABAMA 

Arrow Electronics, Inc. 
1015 Henderson Road 
Huntsville 35805 
Tel: (205) 837-6955 
FAX: 205-751-1581 

Hamilton/Avnet Electronics 
4940 Research Drive 
Huntsville 35805 
Tel: (205) 837-7210 
FAX: 205-721-0356 

Pioneer/Technologies Group, Inc. 
4825 University Square 
Huntsville 35805 
Tel: (205) 837-9300 
FAX: 205-837-9358 

ARIZONA 

tArrow Electronics, Inc. 
4134 E.Wood Street 
Phoenix 85040 
Tel: (602) 437-0750 
TWX: 910-951-1550 

tHamilton/Avnet Electronics 
505 S. Madison Drive 
Tempe 85281 
Tel: (502) 231-5140 
TWX: 910-950-0077 

Hamilton/Avnet Electronics 
30 South IVlcKemy 
Chandler 85226 
Tel: (602) 961-6669 
FAX: 602-961-4073 

Wyle Distribution Group 
4141 E. Raymond 
Phoenix 85040 
Tel: (602) 249-2232 
TWX: 910-371-2871 

CALIFORNIA 

tArrow Electronics, Inc. 
19748 Dearborn Street 
Chatsworth 91311 
Tel: (213) 701-7500 
TWX: 910-493-2086 

tArrow Electronics, Inc. 
951 1 Ridgehaven Court 
San Diego 92123 
Tel: (619) 565-4800 
FAX: 619-279-8062 

tArrow Electronics, Inc. 
521 Weddell Drive 
Sunnyvale 94086 
Tel: (408) 745-6600 
TWX: 910-339-9371 

tArrow Electronics, Inc. 
2961 Dow Avenue 
Tustin 92680 
Tel: (714) 838-5422 
TWX: 910-595-2860 

tHamilton Electro Sales 
3170 Pullman Street 
Costa Mesa 92626 
Tel: (714) 641-4150 
TWX: 910-595-2638 

tHamilton/Avnet Electronics 
1175 Bordeaux Drive 
Sunnyvale 94086 
Tel: (408) 743-3300 
TWX: 910-339-9332 

tHamilton/Avnet Electronics 
4545 Ridgeview Avenue 
San Diego 92123 
Tel: (619) 571-7500 
TWX: 910-595-2638 

tHamilton/Avnet Electronics 
21150 Califa St. 
Woodland Hills 91376 
Tel: (818) 594-0404 
FAX: 818-594-8233 

tHamilton Electro Sales 
10950 W. Washington Blvd. 
Culver City 20230 
Tel: (213) 558-2458 
TWX: 910-340-6364 

tHamilton Electro Sales 
1361B West 190th Street 
Gardena 90248 
Tel: (213) 217-6700 
TWX: 910-340-6364 



tHamilton/Avnet Electronics 
3002 'G' Street 
Ontario 91761 
Tel: (714)989-9411 

tAvnet Electronics 
20501 Plummer 
Chatsworth 91351 
Tel: (213) 700-6271 
TWX: 910-494-2207 

tHamilton/Avnet Electronics 
4103 Northgate Blvd. 
Sacramento 95834 
Tel: (916) 920-3150 

Pionifeer Electronics 
134 Rio Robles 
San Jose 95134 
Tel: (408) 954-9100 
FAX: 408-954-9113 

Wyle Distribution Group 
124 Maryland Street 
El Segundo 90254 
Tel: (213)322-8100 

Wyle Distribution Group 
7431 Chapman Ave. 
Garden Grove 92641 
Tel: (714)891-1717 
F/\X: 714-891-1621 

tWyle Distribution Group 
2951 Sunrise Blvd., Suite 175 
Rancho Cordova 95742 
Tel: (916) 638-5282 

tWyle Distribution Group 
9525 Chesapeake Drive 
San Diego 92123 
Tel: (619) 565-9171 
TWX: 910-335-1590 

tWyle Distribution Group 
3000 Bowers Avenue 
Santa Clara 95051 
Tel: (408) 727-2500 
TWX: 408-988-2747 

tWyle Distribution Group 
1 7872 Cowan Avenue 
In/ine 92714 
Tel: (714) 863-9953 
TWX: 910-371-7127 

tWyle Distribution Group 
26677 W. Agoura Rd. 
Calabasas 91302 
Tel: (818) 880-9000 
TWX: 372-0232 

COLORADO 

Arrow Electronics, Inc. 
7060 South Tucson Way 
Englewood 80112 
Tel: (303) 790-4444 . 

tHamilton/Avnet Electronics 
9605 Maroon Circle 
Suite 200 
Englewood 80112 
Tel: (303) 799-0663 , 
TWX: 910-935-0787 

tWyle Distribution Group 
451 E. 124th Avenue 
Thornton 80241 
Tel: (303) 457-9953 
TWX: 910-936-0770 

CONNECTICUT 

tArrow Electronics, Inc. 
12 Beaumont Road 
Wallingford 06492 
Tel: (203) 265-7741 
TWX: 710-476-0162 

tHamilton/Avnet Electronics 
Commerce Industrial Park 
Commerce Drive 
Danbury 06810 
Tel; (203) 797-2800 
TWX: 710-456-9974 

tPioneer Electronics 
112 Main Street 
Nonwalk 06851 
Tel: (203) 853-1515 
FAX: 203-838-9901 



FLORIDA 

tArrow Electronics, Inc. 
400 Fairway Drive 
Suite 102 

Deerfield Beach 33441 
Tel: (305) 429-8200 
FAX: 305-428-3991 

tArrow Electronics, Inc. 
37 Skyline Drive 
Suite 3101 
Lake Marv 32746 
Tel: (407) 323-0252 
FAX: 407-323-3189 

tHamilton/Avnet Electronics 
6801 N.W. 15th Way 
Ft. Lauderdale 33309 
Tel: (305) 971-2900 
FAX: 305-971-5420 

tHamilton/Avnet Electronics 
3197 Tech Drive North 
St. Petersburg 33702 
Tel: (813) 573-3930 
FAX: 813-572-4329 

tHamilton/Avnet Electronics 
6947 University Boulevard 
Winter Park 32792 
Tel: (407) 628-3888 
FAX: 407-678-1878 

tPioneer/Technologies Group, Inc. 
337 Northlake Blvd., Suite 1000 
Alta Monte Springs 32701 
Tel: (407) 834-9090 
FAX: 407-834-0865 

Pioneer/Technologies Group, Inc. 
674 S. Military Trail 
Deerfield Beach 33442 
Tel: (305) 428-8877 
FAX: 305-481-2950 

GEORGIA 

tArrow Electronics, Inc. 
4250 E. Rivergreen Parkway 
Deluth 30136 
Tel: (404) 497-1300 
TWX: 810-766-0439 

tHamilton/Avnet Electronics 
5825 D Peachtree Corners 
Norcross 30092 
Tel: (404) 447-7500 
TWX: 810-766-0432 

Pioneer/Technologies Group, Inc. 
3100 F Northwoods Place 
Norcross 30071 
Tel: (404)448-1711 
FAX: 404-446-8270 

ILLINOIS 

tArrow Electronics, Inc. 
1140W. Thorndale 
Itasca 60143 
Tel: (708) 250-0500 
TWX: 708-250-0916 

tHamilton/Avnet Electronics 
1 1 30 Thorndale Avenue 
Bensenville 60106 
Tel: (708) 860-7780 
TWX: 708-860-8530 

MTI Systems Sales 
1100 W. Thorndale 
Itasca 60143 
Tel: (708) 773-2300 

tPioneer Electronics 

2171 Executive Dr., Suite 200 

Addison 60101 

Tel: (708) 495-9680 

FAX: 708-495-9831 

INDIANA 

tArrow Electronics, Inc. 

7108 Lakeview Parkway West Drive 

Indianapolis 46268 

Tel: (317) 299-2071 

FAX: 317-299-0255 

Hamilton/Avnet Electronics 
485 Gradle Drive 
Carmel 46032 
Tel: (317) 844-9333 
FAX: 317-844-5921 



tPioneer Electronics 
9350 Priority Way 
West Drive 
Indianapolis 46250 
Tel: (317) 573-0880 
FAX: 317-573-0979 

IOWA 

Hamilton/Avnet Electronics 
915 33rd Avenue, S.W. 
Cedar Rapids 52404 
Tel: (319) 362-4757 

KANSAS 

Arrow Electronics 

8208 Melrose Dr., Suite 210 

Lenexa 66214 

Tel: (913) 541-9542 

FAX: 913-541-0328 

tHamilton/Avnet Electronics 
15313 W. 95th 
Overland Park 66215 
Tel: (913) 888-8900 
FAX: 913-541-7951 

KENTUCKY 

Hamilton/Avnet Electronics 
1051 D. Newton Park 
Lexington 4051 1 
Tel: (606) 259-1475 

MARYLAND 

tArrow Electronics, Inc. 
8300 Guilford Drive 
Suite H, River Center 
Columbia 21046 
Tel: (301) 995-6002 
FAX: 301-381-3854 

tHamilton/Avnet Electronics 
6822 Oak Hall Lane 
Columbia 21045 
Tel: (301) 995-3500 
FAX: 301-995-3593 

tMesa Technology Corp. 
9720 Patuxent Woods Dr. 
Columbia 21046 
Tel: (301) 290-8150 
FAX: 301-290-6474 

tPioneer/Technologies Group, Inc. 
9100Gaither Road 
Gaithersburg 20877 
Tel: (301) 921-0660 
FAX: 301-921-4255 

MASSACHUSETTS 

Arrow Electronics, Inc. 
25 Upton Dr. 
Wilmington 01887 
Tel: (508) 658-0900 
TWX: 710-393-6770 

tHamilton/Avnet Electronics 
10D Centennial Drive 
Peabody 01960 
Tel: (508) 532-9838 
FAX: 508-596-7802 

tPioneer Electronics 
44 Hartwell Avenue 
Lexington 02173 
Tel: (617) 861-9200 
F/\X: 617-863-1547 

Wyle Distribution Group 
15 Third Avenue 
Burlington 01803 
Tel: (617) 272-7300 
FAX: 617-272-6809 

MICHIGAN 

tArrow Electronics, Inc. 
19880 Haggerty Road 
Livonia 48152 
Tel: (313) 665-4100 
TWX: 810-223-6020 

Hamilton/Avnet Electronics 
2215 29th Street S.E. 
Space A5 

Grand Rapids 49508 
Tel: (616) 243-8805 
FAX: 616-698-1831 



Hamilton/Avnet Electronics 
41650 Garden Brook 
Novi 48050 
Tel: (313) 347-4271 
FAX: 313-347-4021 

tPioneer Electronics 
4505 Broadmoor S.E. 
Grand Rapids 49508 
Tel: (616)698-1800 
FAX: 616-698-1831 

tPioneer/Michigan 
13485 Stamford 
Livonia 48150 
Tel: (313) 525-1800 
FAX: 313-427-3720 



MINNESOTA 

tArrow Electronics, Inc. 
5230 W. 73rd Street 
Edina 55435 
Tel: (612) 830-1800 
TWX: 910-576-3125 

tHamilton/Avnet Electronics 
12400 Whitewater Drive 
Minnetonka 55434 
Tel: (612) 932-0600 
TWX: 910-576-2720 

tPioneer Electronics 
7625 Golden Triange Dr. 
Suite G 

Eden Prairi 55343 
Tel: (612) 944-3355 
FAX: 612-944-3794 



MISSOURI 

tArrow Electronics, Inc. 
2380 Schuetz 
St. Louis 63141 
Tel: (314) 567-6888 
FAX: 314-567-1164 

tHamilton/Avnet Electronics 
741 Goddard 
Chesterfield 63005 
Tel: (314) 537-1600 
FAX: 314-537-4248 



NEW JERSEY 

tArrow Electronics, Inc. 
4 East Stow Road 
Unit 11 

Marlton 08053 
Tel: (609) 596-8000 
FAX: 609-596-9632 

tArrow Electronics 
6 Century Drive 
Parsipanny 07054 
Tel: (201)538-0900 
FAX: 201-538-0900 

tHamilton/Avnet Electronics 
1 Keystone Ave., BIdg. 36 
Cherry Hill 08003 
Tel: (609)424-0110 
FAX: 609-751-2552 

tHamilton/Avnet Electronics 
1 Industrial 
Fairfield 07006 
Tel: (201) 575-3390 
FAX: 201-575-5839 

tMTI Systems Sales 
9 Law Drive 
Fairfield 07006 
Tel: (201) 227-5552 
FAX: 201-575-6336 . 

tPioneer Electronics 
14-A Madison Rd. 
Fairfield 07006 
Tel: (201) 575-3510 
FAX: 201-575-3454 



tCertified Technical Distributor 



inteT 



DOMESTIC DISTRIBUTORS (Contd.) 



NEW MEXICO 

Alliance Electronics Inc. 
10510 Research Avenue 
Albuquerque 87123 
Tel: (505) 292-3360 
FAX: 505-292-6537 

tHamilton/Avnet Electronics 
5659A Jefferson N.E. 
Albuquerque 87109 
Tel: (505) 765-1500 
FAX: 505-243-1395 

NEW YORK 

tArrow Electronics, Inc. 
3375 Brighton Henrietta 
Townline Rd. 
Rochester 14623 
Tel: (716) 427-0300 
TWX: 510-253-4766 

Arrow Electronics, Inc. 
20 Oser Avenue 
Hauppauge 11788 
Tel: (516) 231-1000 
TWX: 510-227-6623 

tHamilton/Avnet 
933 Motor Parkway 
Hauppauge 11788 
Tel: (516) 231-9800 
TWX: 510-224-6166 

tHamilton/Avnet Electronics 
2060 Townline Rd. 
Rochester 14623 
Tel: (716)272-2744 ' 
TWX: 510-253-5470 

Hamilton/Avnet Electronics 
1 03 Twin Oaks Drive 
Syracuse 13206 
Tel: (315) 437-0288 
TWX: 710-541-1560 

tMTI Systems Sales 
38 Harbor Park Drive 
Port Washington 11050 
Tel: (516) 621-6200 
FAX: 510-223-0846 

Pioneer Electronics 
68 Corporate Drive 
Binghamton 13904 
Tel: (607) 722-9300 
FAX: 607-722-9562 

Pioneer Electronics 
40 Oser Avenue 
Hauppauge 11787 
Tel: (516) 231-9200 
FAX: 510-227-9869 

tPioneer Electronics 
60 Crossway Park West 
Woodbury, Long Island 11797 
Tel: (516) 921-8700 
FAX: 516-921-2143 

tPioneer Electronics 
840 Fairport Park 
Fairport 14450 
Tel: (716)381-7070 
FAX: 716-381-5955 



NORTH CAROLINA 

tArrow Electronics, Inc. 
5240 Greensdairy Road 
Raleigh 27604 
Tel: (919) 876-3132 
TWX: 510-928-1856 

tHamilton/Avnet Electronics 
3510 Spring Forest Drive 
Raleigh 27604 
Tel: (919)878-0819 
TWX: 510-928-1836 

Pioneer/Technologies Group, Inc. 
9401 L-Southern Pine Blvd. 
Charlotte 28210 
Tel: (919) 527-8188 
FAX: 704-522-8564 

OHIO 

tArrow Electronics, Inc. 
6238 Cochran Road 
Solon 44139 
Tel: (216) 248-3990 
TWX: 810-427-9409 

tHamilton/Avnet Electronics 
7760 Washington Village Dr. 
Dayton 45459 
Tel: (513) 439-6733 
FAX: 5 13-439-67 11 

tHamilton/Avnet Electronics 
30325 Bainbridge 
Solon 44139 
Tel: (216) 349-5100 
TWX: 810-427-9452 

Hamilton/Avnet Electronics 
777 Brookside Blvd. 
Westen/ille 43081 
Tel: (614) 882-7004 

tPioneer Electronics 
4433 Interpoint Boulevard 
Dayton 45424 
Tel: (513) 236-9900 
FAX: 513-236-8133,, 

tPioneer Electronics 
4800 E. 131st Street 
Cleveland 44105 
Tel: (216) 587-3600 
FAX: 216-663-1004 

OKLAHOMA 

tHamilton/Avnet Electronics 
12121 E. 51st St., Suite 102A 
Tulsa 74146 
Tel: (918) 252-7297 

OREGON 

tAlmac Electronics Corp. 
1885 N.W. 169th Place 
Beaverton 97005 
Tel: (503). 629-8090 
FAX: 503-645-061 1 

tHamilton/Avnet Electronics 
9409 S.W. Nimbus 
Beaverton 97005 
Tel: (503) 627-0201 
FAX: 503-641-4012 



Wyle Distribution Group 

5250 N.E. Elam Young Parkway 

Suite 600 

Hillsboro 97124 

Tel: (503) 640-6000 

FAX: 503-640-5846 

PENNSYLVANIA 

Arrow Electronics, Inc. 
650 Seqo Road 
Monroeville 15146 
Tel: (412) 856-7000 

Hamilton/Avnet Electronics 
2800 Liberty Ave. 
Pittsburgh 15238 
Tel: (412) 281-4150 

Pioneer Electronics 
259 Kappa Drive 
Pittsburgh 15238 
Tel: (412) 782-2300 
FAX: 412-963-8255 

tPioneer/Technologies Group, Inc. 

Delaware Valley 

261 Gibralter Road 

Horsham 19044 

Tel: (215) 674-4000 

FAX: 215-674-3107 

TEXAS 

tHamilton/Avnet Electronics 
1807 W. Braker Lane 
Austin 78758 
Tel: (512)837-8911 
TWX: 910-874-1319 

tHamilton/Avnet Electronics 
4004 Beltline, Suite 200 
Dallas 75234 
Tel: (214)308-8111 
TWX: 910-860-5929 

tHamilton/Avnet Electronics 
4850 Wright Rd., Suite 190 
Stafford 77477 
Tel: (713) 240-7733 
TWX: 910-881-5523 

tPioneer Electronics 
1826-D Kramer 
Austin 78758 
Tel: (512) 835-4000 
FAX: 512-835-9829 

tPioneer Electronics 
13710 Omega Road 
Dallas 75244 
Tel: (214) 386-7300 
FAX: 214-490-6419 

tPioneer Electronics 
5853 Point West Drive 
Houston 77036 
Tel: (713) 988-5555 
FAX: 713-982-1732 

tWyle Distribution Group 
1810 Greenville Avenue 
Richardson 75081 
Tel: (214)235-9953 
FAX: 214-644-5064 



UTAH 

tHamilton/Avnet Electronics 
1585 West 2100 South 
Salt Lake City 84119 
Tel: (801)972-2800 
TWX: 910-925-4018 

tWyle Distribution Group 
1325 West 2200 South 
Suite E 

West Valley 841 19 
Tel: (801)974-9953 

WASHINGTON 

tAlmac Electronics Corp. 
14360 S.E. Eastgate Way 
Bellevue 98007 
Tel: (206) 643-9992 
FAX: 206-643-9709 

tHamilton/Avnet Electronics 
17761 N.E. 78th Place 
Redmond 98052 
Tel: (206)881-6697 
FAX: 206-867-0159 

Wyle Distribution Group 
15385 N.E. 90th Street 
Redmond 98052 
Tel: (206) 881-1150 
FAX: 206-881-1567 

WISCONSIN 

Arrow Electronics, Inc. 

200 N. Patrick Blvd., Ste. 100 

Brookfield 53005 

Tel: (414) 792-0150 

FAX: 414-792-0156 

tHamilton/Avnet Electronics 
28875 Crossroads Circle 
Suite 400 
Waukesha 53186 
Tel: (414)784-4510 
FAX: 414-784-9509 



CANADA 



ALBERTA 

Hamilton/Avnet Electronics 
2816 21st Street N.E. #3 
Calgary T2E 6Z3 
Tel: (403) 230-3586 
FAX: 403-250-1591 

Zentronics 
6815 #8 Street N.E. 
Suite 100 
Calgary T2E 7H 
Tel: (403)295-8818 
FAX: 403-295-8714 

BRITISH COLUMBIA 

tHamilton/Avnet Electronics 
105-2550 Boundary 
Burnaby V5M 3Z3 
Tel: (604) 437-6667 
FAX; 604-437-4712 



Zentronics 

108-11400 Bridgeport Road 

Richmond V6X 1T2 

Tel: (604)273-5575 

FAX: 604-273-2413 

ONTARIO 

Arrow Electronics, Inc. 
36 Antares Dr., Unit 100 
Nepean K2E 7W5 
Tel: (613)226-6903 
FAX: 613-723-2018 

Arrow Electronics, Inc. 
1093 Meyerside, Unit 2 
Mississauga L5T 1M4 
Tel: (416)673-7769 
FAX: 416-672-0849 

tHamilton/Avnet Electronics 
6845 Rexwood Road 
Units 3-4-5 
Mississauga L4T 1R2 
Tel: (416) 677-7432 
F/\X: 416-677-0940 

tHamilton/Avnet Electronics 
190 Colonnade Road South 
Nepean K2E 7L5 
Tel: (613) 226-1700 . 
FAX: 613-226-1184 

tZentronics 
1355 Meyerside Drive 
Mississauga L59 1C9 
Tel: (416) 564-9600 
FAX: 416-564-8320 

tZentronics 

155 Colonnade Road 

Unit 17 

Nepean K2E 7K1 

Tel: (613) 226-8840 

FAX: 613-226-6352 



QUEBEC 

Arrow Electronics Inc. 
4050 rue Jean Talon Quest 
Montreal H4P 1W1 
Tel: (514)735-5511 
FAX: 514-341-4821 

Arrow Electronics, Inc. 
500 Boul. St-Jean-Baptiste 
Suite 280 
Quebec G2E 5R9 
Tel: (418)871-7500 
FAX: 41 8-871 -681 6 

tHamilton/Avnet Electronics 
2795 Halpern 
St. Laurent H2E 7K1 
Tel: (514)335-1000 
FAX: 514-335-2481 

tZentronics 
520 McCaffrey 
St. Laurent H4T1N3 
Tel: (514) 737-9700 
FAX: 514-737-5212 



tCcrtified Technical Distributor 



inter 



DOMESTIC SERVICE OFFICES 



ALABAMA 

*lntel Corp. 

5015 Bradford Dr., Suite 2 

Huntsville 35805 

Tel: (205) 830-4010 

Intel Corp. 

c/o Budget Rent-A-Car 

1712 Highway 21 South 

Oxford 36203 

Tel: (205) 835-1270 

ALASKA 

Intel Corp. 

c/o TransAlaska Network 
1515 Lore Rd. 
Anchorage 99507 
Tel: (907) 522-1776 

Intel Corp. 

c/o TransAlaska Data Systems 

c/o GCI Operations 

520 Fifth Ave., Suite 407 

Fairbanks 99701 

Tel: (907) 452-6264 

ARIZONA 

*lnte! Corp. 
11225 N. 28th Dr. 
SuiteD-214 
Phoenix 85029 
Tel: (602) 869-4980 

*lntel Corp. 

500 E. Fry Blvd., Suite M-15 

Sierra Vista 85635 

Tel: (602) 459-5010 

ARKANSAS 

Intel Corp. 
c/o Federal Express 
1500 West Park Drive 
Little Rock 72204 

CALIFORNIA 

*lntel Corp. 

21515 Vanowen St., Ste. 116 

Canoga Park 91303 

Tel: (818) 704-8500 

*lntel Corp. 

2250 E. Imperial Hwy., Ste. 218 

El Segundo 90245 

Tel: (213) 640-6040 

*lntel Corp. 
1900 Prairie City Rd. 
Folsom 95630-9597 
Tel: (916)351-6143 

*lntel Corp. 

9665 Chesapeake Dr., Suite 325 

San Diego 92123-1326 

Tel: (619)292-8086 

**lntel Corp. 

400 N. Tustin Avenue 

Suite 450 

Santa Ana 92705 

Tel: (714) 835-9642 



**lntel Corp. 

2700 San Tomas Exp., 1st Floor 

Santa Clara 95051 

Tel: (408)970-1747 

COLORADO 

*lntel Corp. 

650 S. Cherry St., Suite 915 

Denver 80222 

Tel: (303) 321-8086 

CONNECTICUT 

* Intel Corp. 

83 Wooster Heights Rd. 

Danbury 0681 1 

Tel: (203) 748-3130 

FLORIDA 

**lntel Corp. 

6363 N.W. 6th Way, Ste. 100 
Ft. Lauderdale 33309 
Tel: (305) 771-0600 

*lntel Corp. 

5850 T.G. Lee Blvd., Ste. 340 

Orlando 32822 

Tel: (407) 240-8000 

GEORGIA 

*lntel Corp. 

20 Technology Park, Suite 150 

Norcross 30092 

Tel: (404) 449-0541 

HAWAII 

**lntel Corp. 
Honolulu 96820 
Tel: (808) 847-6738 

ILLINOIS 

**tlntel Corp. 

300 N. Martingale Rd., Ste. 400 

Schaumburg 60173 

Tel: (708) 605-8031 

INDIANA 

*lntel Corp. 

8777 Purdue Rd., Ste. 125 
Indianapolis 46268 
Tel: (317)875-0623 

KANSAS 

*lntel Corp. 

10985 Cody, Suite 140 
Overland Park 66210 
Tel: (913) 345-2727 

KENTUCKY 

Intel Corp. 

133 Walton Ave., Office 1 A 

Lexinaton 40508 

Tel: (606) 255-2957 

Intel Corp. 

896 Hillcrest Road, Apt. A 

Radcliff 40160 (Louisville) 



MARYLAND 

**lntel Corp. 

10010 Junction Dr., Suite 200 
Annapolis Junction 20701 
Tel: (301) 206-2860 

MASSACHUSETTS 

**lntel Corp. 

3 Carlisle Rd., 2nd Floor 

Westford 01886 

Tel: (508) 692-0960 

MICHIGAN 

*lntel Corp. 

7071 Orchard Lake Rd., Ste. 100 

West Bloomfield 48322 

Tel: (313) 851-8905 

MINNESOTA 

*lntel Corp. 

3500 W. 80th St., Suite 360 

Bloomington 55431 

Tel: (612) 835-6722 

MISSISSIPPI 

Intel Corp. 

c/o Compu-Care 

2001 Airport Road, Suite 205F 

Jackson 39208 

Tel: (601) 932-6275 

MISSOURI 

* Intel Corp. 

4203 Earth City Exp., Ste. 131 

Earth City 63045 

Tel: (314)291-1990 

Intel Corp. 
Route 2, Box 221 , 
Smithville 64089 
Tel: (913) 345-2727 

NEW JERSEY 

**lntel Corp. 
300 Sylvan Avenue 
Engiewood Cliffs 07632 
Tel: (201) 567-0821 

*lntel Corp. 

Parkway 109 Office Center 

328 Newman Springs Road 

Red Bank 07701 

Tel: (201) 747-2233 

NEW MEXICO 

Intel Corp. 

Rio Rancho 1 

4100 Sara Road 

Rio Rancho 87124-1025 

(near Albuquerque) 

Tel: (505) 893-7000 



NEW YORK 

*lntel Corp. 

2950 Expressway Dr. South 

Suite 130 

Islandia 11722 

Tel: (516) 231-3300 

Intel Corp. 

Westage Business Center 

BIdg. 300, Route 9 

Fishkill 12524 

Tel: (914) 897-3860 

Intel Corp. 

5858 East Molloy Road 
Syracuse 13211 
Tel: (315)454-0576 



NORTH CAROLINA 

*lntel Corp. 

5800 Executive Center Drive 

Suite 105 

Charlotte 28212 

Tel: (704) 568-8966 

**lntel Corp. 

5540 Centerview Dr., Suite 215 

Raleigh 27606 

Tel: (919) 851-9537 



OHIO 

**lntel Corp. 

3401 Park Center Dr., Ste. 220 

Dayton 45414 

Tel: (513) 890-5350 

*lntel Corp. 

25700 Science Park Dr., Ste. 100 

Beachwood 44122 

Tel: (216) 464-2736 



OREGON 

**lntel Corp. 

15254 N.W. Greenbrier Parkway 

Building B 

Beaverton 97005 

Tel: (503) 645-8051 

PENNSYLVANIA 

*tlntel Corp. 

455 Pennsylvania Ave., Ste. 230 

Fort Washington 19034 

Tel: (215) 641-1000 

**tlntel Corp. 

400 Penn Center Blvd., Ste. 610 

Pittsburoh 15235 

Tel: (412) 823-4970 

*lntel Corp. 
1513 Cedar Cliff Dr. 
Camp Hill 17011 
Tel: (717) 761-0860 



PUERTO RICO 

Intel Corp. 

South Industrial Park 
P.O. Box 910 
Las Piedras 00671 
Tel: (809) 733-8616 



TEXAS 

**lntel Corp. 

Westech 360, Suite 4230 

891 1 Capitol of Texas Hwy. 

Austin 78752-1239 

Tel : (512) 794-8086 

**tlntel Coro. 

12000 Ford Rd., Suite 401 

Dallas 75234 

Tel: (214) 241-8087 

**lntel Corp. 

7322 SW Freeway, Suite 1490 

Houston 77074 

Tel: (713) 988-8086 



VIRGINIA 

*lntel Corp. 

1504 Santa Rosa Rd., Ste. 108 

Richmond 23288 

Tel: (804) 282-5668 



WASHINGTON 

**lntel Corp. 

155 108th Avenue N.E., Ste. 386 

Beilevue 98004 

Tel: (206) 453-8086 



CANADA 



ONTARIO 

**lntel Semiconductor of 

Canada, Ltd. 

2650 Queensview Dr., Ste. 250 

Ottawa K2B 8H6 

Tel: (613) 829-9714 

**lntel Semiconductor of 
Canada, Ltd. 
190Attwell Dr., Ste. 102 
Rexdale (Toronto) M9W 6H8 
Tel: (416) 675-2105 



QUEBEC 

**lntel Semiconductor of 

Canada, Ltd. 

620 St. Jean Boulevard 

Pointe Claire (Montreal) H9R 3K3 

Tel: (514) 694-9130 



CUSTOMER TRAINING CENTERS 



2700 San Tomas Expressway 
Santa Clara 95051 
Tel: 1-800-328-0386 



MARYLAND 

10010 Junction Dr. 
Suite 200 

Annapolis Junction 20701 
Tel: 1-800-328-0386 



SYSTEMS ENGINEERING OFFICES 



MINNESOTA 

3500 W. 80th Street 
Suite 360 

Bloomington 55431 
Tel: (612) 835-6722 



2950 Expressway Dr., South 
Islandia 11722 
Tel: (506) 231-3300 



*Carry-in locations 
**Carry-in/mail-in locations 



Intel 



EUROPEAN SALES OFFICES 



FINLAND 

Intel Finland OY 
Ruosilantie 2 
00390 Helsinki 
Tel: (358) 544 644 
TLX: 123332 

FRANCE 

Intel Corporation S.A.R.L. 

1, Rue Edison-BP 303 

78054 St. Quentin-en-Yvelines 

Cedex 

Tel: (33) (1) 30 57 70 00 

TLX: 699016 

WEST GERMANY 

Intel GmbH* 

Dornacher Strasse 1 

8016 Feldkirchen bei Muenclien 

Tel: (49) 089/90992-0 

FAX: (49) 089/904/3948 



Intel GnnbH 

Abraham Lincoln Strasse 16-18 

6200 Wiesbaden 

Tel: (49) 06121/7605-0 

TLX: 4-186183 

Intel GmbH 
Zettachring 10A 
7000 Stuttgart 80 
Tel: (49)0711/7287-280 
TLX: 7-254826 



ISRAEL 

Intel Semiconductor Ltd.* 

Atidim Industrial Park-Neve Sharet 

P.O. Box 43202 

Tel-Aviv 61430 

Tel: (972) 03-498080 

TLX: 371215 



ITALY 

Intel Corporation Italia S.p.A.* 

Milanofiori Palazzo E 

20094 Assago 

Milano 

Tel: (39) (02) 89200950 

TLX: 341286 



NETHERLANDS 

Intel Semiconductor B.V.* 
Postbus 84130 
3099 CC Rotterdam 
Tel: (31) 10.407.11.11 
TLX: 22283 



SPAIN 

Intel Iberia S.A. 
Zurbaran, 28 
28010 Madrid 
Tel: (34) (1) 308.25.52 
TLX: 46880 



SWEDEN 

Intel Sweden A.B.* 
Daivagen 24 
171 36Solna 
Tel: (46) 8 734 01 00 
TLX: 12261 



SWITZERLAND 

Intel Semiconductor A.G. 

Zuerichstrasse 

8185 Winkel-Rueti bei Zuerich 

Tel: (41)01/860 62 62 

TLX: 825977 



UNITED KINGDOM 

Intel Corporation (U.K.) Ltd.* 
Pipers Way 

Swindon, Wiltshire SN3 1RJ 
Tel: (44) (0793) 696000 
TLX: 444447/8 



EUROPEAN DISTRIBUTORS/REPRESENTATIVES 



AUSTRIA 

Bacher Electronics G.m.b.H. 

Rotenmuehlgasse 26 

1120Wien 

Tel: (43) (0222) 83 56 46 

TLX: 31532 

BELGIUM 

Ineico Belgium S.A. 

Av. des Croix de Guerre 94 

1120 Bruxelles 

Oorlogskruisenlaan, 94 

1120 Brussel 

Tel: (32) (02)216 01 60 

TLX: 64475 or 22090 

DENMARK 

ITT-Multikomponent 

Naverland 29 

2600 Glostrup 

Tel: (45) (0) 2 45 66 45 

TLX: 33 355 

FINLAND 

OY Fintronic AB 
Melkonkatu 24A 
00210 Helsinki 
Tel: (358) (0) 6926022 
TLX: 124224 

FRANCE 

Almex 

Zone industrielle d'Antony 

48, rue de I'Aubepine 

BP 102 

92164 Antony cedex 

Tel: (33) (1)46 66 21 12 

TLX: 250067 

Jermyn-Generim 

60, rue des Gemeaux 

Silic 580 

94653 Rungis cedex 

Tel: (33) (1)49 78 49 78 

TLX: 261585 

Metrologie 
Tour d'Asnieres 
4, av. Laurent-Cely 
92606 Asnieres Cedex 
Tel: (33) (1)47 90 62 40 
TLX: 611448 



Tekelec-Airtronic 
Cite des Bruyeres 
Rue Carle Vernet - BP 2 
92310 Sevres 
Tel: (33) (1) 45 34 75 35 
TLX: 204552 

WEST GERMANY 

Electronic 2000 AG 
Stahlgruberring 12 
8000 Muenchen 82 
Tel: (49) 089/42001-0 
TLX: 522561 

ITT Multikomponent GmbH 
Postfach 1265 
Bahnhofstrasse 44 
7141 Moeglingen 
Tel: (49) 07141/4879 
TLX: 7264472 

Jermyn GmbH 
Im Dachsstueck 9 
6250 Limburg 
Tel: (49) 06431/508-0 
TLX: 415257-0 

Metrologie GmbH 
Meglingerstrasse 49 
8000 Muenchen 71 
Tel: (49) 089/78042-0 
TLX: 5213189 

Proelectron Vertriebs GmbH 
Max Planck Strasse 1-3 
6072 Dreieich 
Tel: (49) 06103/30434-3 
TLX: 417903 

IRELAND 

Micro Marketing Ltd. 

Glenageary Office Park 

Glenageary 

Co. Dublin 

Tel: (21) (353) (01)85 63 25 

TLX: 31584 

ISRAEL 

Eastronics Ltd. 
1 1 Rozanis Street 
P.O.B. 39300 
Tel-Aviv 61392 
Tel: (972) 03-475151 
TLX: 33638 



ITALY 

Intesi 

Divisione ITT Industries GmbH 

Viale Milanofiori 

Palazzo E/5 

20090 Assago (Ml) 

Tel: (39) 02/824701 

TLX: 311351 

Lasi Elettronica S.p.A. 

V. le Fulvio Testi, 126 

20092 Cinisello Balsamo (Ml) 

Tel: (39) 02/2440012 

TLX: 352040 

Telcom S.r.l. 
Via M. Civitali 75 
20148 Milano 
Tel: (39) 02/4049046 
TLX: 335654 

ITT Multicomponents 
Viale Milanofiori E/5 
20090 Assago (Ml) 
Tel: (39) 02/824701 
TLX: 311351 
Silverstar 

Via Dei Gracchi 20 
20146 Milano 
Tel: (39) 02/49961 
TLX: 332189 

NETHERLANDS 

Koning en Hartman Elektrotechniek 

B.V. 

Energieweg 1 

2627 AP Delft 

Tel: (31) (0) 15/609906 

TLX: 38250 

NORWAY 

Nordisk Elektronikk (Norge) A/S 

Postboks 123 

Smedsvingen 4 

1364 Hvalstad 

Tel: (47) (02)84 62 10 

TLX: 77546 

PORTUGAL 

ATD Portugal LDA 

Rua Dos Lusiados, 5 Sala B 

1300 Lisboa 

Tel: (35) (1)64 80 91 

TLX: 61562 



Ditram 

Avenida Miguel Bombarda, 133 

1 000 Lisboa 

Tel: (35) (1) 54 53 13 

TLX: 14182 

SPAIN 

ATD Electronica, S.A. 
Plaza Ciudad de Viena, 6 
28040 Madrid 
Tel: (34) (1) 234 40 00 
TLX: 42477 

ITT-SESA 

Calle Miguel Angel, 21-3 

28010 Madrid 

Tel: (34) (1)419 09 57 

TLX: 27461 

Metrologia Iberica, S.A. 
Ctra. de Fuencarral, n.80 
28100 Alcobendas (Madrid) 
Tel: (34) (1) 653 86 11 

SWEDEN 

Nordisk Elektronik AB 

Torshamnsgatan 39 

Box 36 

164 93Kista 

Tel: (46) 08-03 46 30 

TLX: 105 47 

SWITZERLAND 

Industrade A.G. 
Hertistrasse 31 
8304 Wallisellen 
Tel: (41) (01) 8328111 
TLX: 56788 

TURKEY 

EMPA Electronic 
Lindwurmstrasse 95A 
8000 Muenchen 2 
Tel: (49) 089/53 80 570 
TLX: 528573 

UNITED KINGDOM 

Accent Electronic Components Ltd. 
Jubilee House, Jubilee Road 
Letchworth, Herts SG6 1TL 
Tel: (44) (0462) 686666 
TLX: 826293 



Bytech-Comway Systems 
3 The Western Centre 
Western Road 
Bracknell RG1 2 1RW 
Tel: (44) (0344) 55333 
TLX: 847201 

Jermyn 

Vestry Estate 

Otford Road 

Sevenoaks 

KentTN14 5EU 

Tel: (44) (0732) 450144 

TLX: 95142 

MMD 

Unit 8 Southview Park 

Caversham 

Reading 

Berkshire RG4 OAF 

Tel: (44) (0734) 481666 

TLX: 846669 

Rapid Silicon 
Rapid House 
Denmark Street 
High Wycombe 
Buckinghamshire HP11 2ER 
Tel: (44) (0494) 442266 
TLX: 837931 

Rapid Systems 
Rapid House 
Denmark Street 
High Wycombe 
Buckinghamshire HP11 2ER 
Tel: (44) (0494) 450244 
TLX: 837931 

YUGOSLAVIA 

H.R. Microelectronics Corp. 

2005 de la Cruz Blvd., Ste. 223 

Santa Clara, CA 95050 

U.S.A. 

Tel: (1) (408) 988-0286 

TLX: 387452 

Rapido Electronic Components 

S.p.a. 

Via C. Beccaria, 8 

34133 Trieste 

Italia 

Tel: (39) 040/360555 

TLX: 460461 



*Field Application Location 



Intel 



INTERNATIONAL SALES OFFICES 



AUSTRALIA 

Intel Australia Pty. Ltd. 

Unit 13 

Allambie Grove Business Park 

25 Frenchs Forest Road East 

Frenchs Forest, NSW, 2086 

Tel: 61-2975-3300 

FAX: 61-2975-3375 



BRAZIL 

Intel Semicondutores do Brazil LTDA 
Av. Paulista, 1159-CJS 404/405 
01311 - Sao Paulo - S.P. 
Tel: 55-11-287-5899 
TLX: 3911153146 ISDB 
FAX: 55-11-287-5119 



CHINA/HONG KONG 

Intel PRC Corporation 
15/F, Office 1, CiticBldg. 
Jian Quo Men Wai Street 
Beijing, PRC 
Tel: (1) 500-4850 
TLX: 22947 INTEL ON 
FAX: (1) 500-2953 

Intel Semiconductor Ltd.* 
1 0/F East Tower 
Bond Center 
Queensway, Central 
Hong Kong 
Tel: (852) 844-4555 
FAX: (852) 868-1989 



INDIA 

Intel Asia Electronics, Inc. 
4/2, Samrah Plaza 
St. Mark's Road 
Bangalore 560001 
Tel: 011-91-812-215065 
TLX: 953-845-2646 INTL IN 
FAX: 091-812-215067 



JAPAN 

Intel Japan K.K. 

5-6 Tokodai, Tsukuba-shi 

Ibaraki, 300-26 

Tel: 0298-47-851 1 

TLX: 3656-160 

FAX: 0298-47-8450 

Intel Japan K.K.* 
Daiichi Mitsugi BIdg. 
1-8889 Fuchu-cho 
Fuchu-shi, Tokyo 183 
Tel: 0423-60-7871 
FAX: 0423-60-0315 

Intel Japan K.K.* 
BIdg. Kumagaya 
2-69 Hon-cho 

Kumagaya-shi, Saitama 360 
Tel: 0485-24-6871 
FAX: 0485-24-7518 



Intel Japan K.K.* 
Kawa-asa BIdg. 
2-11-5 Shin-Yokohama 
Kohoku-ku, Yokohama-shi 
Kanagawa, 222 
Tel: 045-474-7661 
FAX: 045-471-4394 

Intel Japan K.K.* 
Ryokuchi-Eki BIdg. 
2-4-1 Terauchi 
Toyonaka-shi, Osaka 560 
Tel: 06-863-1091 
FAX: 06-863-1084 

Intel Japan K.K. 
Shinmaru BIdg. 
1-5-1 Marunouchi 
Chiyoda-ku, Tokyo 100 
Tel: 03-201-3621 
FAX: 03-201-6850 

Intel Japan K.K. 
Green BIdg. 
1-16-20 Nishiki 
Naka-ku, Nagoya-shi 
Aichi 450 
Tel: 052-204-1261 
FAX: 052-204-1285 

KOREA 

Intel Technology Asia, Ltd. 

1 6th Floor, Life BIdg. 

61 Yoido-dong, Youngdeungpo-Ku 

Seoul 150-010 

Tel: (2) 784-8186, 8286, 8386 

TLX:K29312INTELKO 

FAX: (2) 784-8096 



SINGAPORE 

Intel Singapore Technology, Ltd. 

101 Thomson Road #21-05/06 

United Square 

Singapore 1130 

Tel: 250-7811 

TLX: 39921 INTEL 

FAX: 250-9256 



TAIWAN 

Intel Technology Far East Ltd. 

8th Floor, No. 205 

Bank Tower BIdg. 

Tung Hua N. Road 

Taipei 

Tel: 886-2-716-9660 

FAX: 886-2-717-2455 



INTERNATIONAL DISTRIBUTORS/REPRESENTATIVES 



ARGENTINA 

Dafsys S.R.L. 
Chacabuco, 90-6 Piso 
1069-Buenos Aires 
Tel: 54-1-334-7726 
FAX: 54-1-334-1871 

AUSTRALIA 

Email Electronics 
15-17 Hume Street 
Huntingdale, 3166 
Tel: 011-61-3-544-8244 
TLX: AA 30895 
FAX: 01 1-61-3-543-8179 

NSD-Australia 
205 Middleborough Rd. 
Box Hill, Victoria 3128 
Tel: 03 8900970 
FAX: 03 8990819 

BRAZIL 

Elebra Componentes 

Rua Geraldo Flausina Gomes, 78 

7 Andar 

04575 - Sao Paulo - S.P. 

Tel: 55-11-534-9641 

TLX: 55-1 1-54593/54591 

FAX: 55-11-534-9424 

CHINA/HONG KONG 

Novel Precision Machinery Co., Ltd. 

Room 728 Trade Square 

681 Cheung Sha Wan Road 

Kowloon, Hong Kong 

Tel: (852) 360-8999 

TWX: 32032 NVTNL HX 

FAX: (852) 725-3695 

INDIA 

Micronic Devices • 
Arun Complex 
No. 65 D.V.G. Road 
Basavanagudi 
Bangalore 560 004 
Tel: 011-91-812-600-631 
011-91-812-611-365 
TLX: 9538458332 MDBG 



Micronic Devices 

No. 516 5th Floor 

Swastik Chambers 

Sion, Trombay Road 

Chembur 

Bombay 400 071 

TLX: 9531 171447 MDEV 

Micronic Devices 
25/8, 1st Floor 
Bada Bazaar Marg 
Old Rajinder Nagar 
New Delhi 110 060 
Tel: 011-91-11-5723509 

011-91-11-589771 
TLX: 031-63253 MDND IN 

Micronic Devices 

6-3-348/1 2A Dwarakapuri Colony 

Hyderabad 500 482 

Tel: 011-91-842-226748 

S&S Corporation 
1587 Kooser Road 
San Jose, CA95118 
Tel: (408)978-6216 
TLX: 820281 
FAX: (408) 978-8635 



JAPAN 

Asahi Electronics Co. Ltd. 
KMM BIdg. 2-14-1 Asano 
Kokurakita-ku 
Kitakyushu-shi 802 
Tel: 093-511-6471 
FAX: 093-551-7861 

CTC Components Systems Co., Ltd. 
4-8-1 Dobashi, Miyamae-ku 
Kawasaki-shi, Kanagawa 213 
Tel: 044-852-5121 
FAX: 044-877-4268 

Dia Semicon Systems, Inc. 

Flower Hill Shinmachi Higashi-kan 

1 -23-9 Shinmachi, Setagaya-ku 

Tokyo 154 

Tel: 03-439-1600 

FAX: 03-439-1601 



Okaya Koki 
2-4-18 Sakae 
Naka-ku, Nagoya-shi 460 
Tel: 052-204-2916 
FAX: 052-204-2901 

Ryoyo Electro Corp. 
Konwa BIdg. 
1-12-22 Tsukiji 
Chuo-ku, Tokyo 104 
Tel: 03-546-5011 
FAX: 03-546-5044 

KOREA 

J-Tek Corporation 

3rd Floor, Samho BIdg. 

997-9 Taechi-Dong Kangnam-Gu 

Seoul 135-283 

Tel: (822) 557-8039 

FAX: (822) 557-8304 

Samsung Electronics 
Samsung Main BIdg. 
250, 2-KA, Taepyung-Ro 
Chung-Ku, Seoul 
C.P.O. Box 8780 
Tel: (822) 751-3680 
TWX: KORSST K 27970 
FAX: (822) 774-7445 

MEXICO 

SSB Electronics, Inc. 

675 Palomar Street, BIdg. 4, Suite A 

Chula Vista, CA 9201 1 

Tel: (619)585-3253 

TLX: 287751 CBALL UR 

FAX: (619) 585-8322 

Dicopel S.A. 

Tochtii 368 Fracc. Ind. San Antonio 

Azcapotzaico 

C.P. 02760-Mexico, D.F. 

Tel: 52-5-561-3211 

TLX: 177 3790 Dicome 

FAX: 52-5-561-1279 

PHI S.A. de C.V. 
Fco. Villa esq. Ajusco s/n 
Cuernavaca- Morelos 
Tel: 52-73-13-9412 
FAX: 52-73-17-5333 



NEW ZEALAND 

Email Electronics 
36 Olive Road 
Penrose, Auckland 
Tel: 011-64-9-591-155 
FAX: 011-64-9-592-681 



SINGAPORE 

Electronic Resources Re, Ltd. 
17 Harvey Road 
#03-01 Singapore 1336 
Tel: (65) 283-0888 
TWX: RS 56541 ERS 
FAX: (65) 289-5327 



SOUTH AFRICA 

Electronic Building Elements 

178 Erasmus St. (off Watermeyet St.) 

Meyerspark, Pretoria, 0184 

Tel: 011-2712-803-7680 

FAX: 011-2712-803-8294 



TAIWAN 

Micro Electronics Corporation 

12th Floor, Section 3 

285 Nanking East Road 

Taipei, R.O.C. 

Tel: 886-2-506-3320 

FAX: 886-2-719-7916 

Acer Sertek Inc. 
15th Floor, Section 2 
Chien Kuo North Rd. 
Taipei 10479 R.O.C. 
Tel: 886-2-501 0055 
TWX: 23756 SERTEK 
FAX: 886-2-501 2521 



*Field Application Location 



UNITED STATES 
Intel Corporation 
3065 Bowers Avenue 
Santa Clara, C A 95051 

JAPAN 

Intel Japan K.K. 

5-6 Tokodai, Tsukuba-shi 

Ibaraki, 300-26 

FRANCE 

Intel Corporation S.A.R.L. 

1, Rue Edison, BP 303 

78054 Saint-Quentin-en-Yvelines Cedex 

UNITED KINGDOM 

Intel Corporation (U.K.) Ltd. 

Pipers Way 

Swindon 

Wiltshire, England SN3 IRJ 

WEST GERMANY 

Intel GmbH 

Dornacher Strasse 1 

8016 Feldkirchen bei Muenchen 

HONG KONG 
Intel Semiconductor Ltd. 
10/F East Tower 
Bond Center 
Queensway, Central 

CANADA 

Intel Semiconductor of Canada, Ltd. 
190 Attwell Drive, Suite 500 
Rexdale, Ontario M9W 6H8 
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